You can't even drive free software without a license

IT organizations need to understand open source licensing, just because

Software licensing in general, and open source licensing in particular, is poorly understood. I was reminded of this last week when speaking on a panel to a group of investors and entrepreneurs, the value of whose companies depends on protection of their intellectual property. Increasingly, IT organizations too are coming to appreciate how critical it is to know the origins and licensing of the software they are deploying. Nascent industry standardization efforts will make sharing license information easier for all.

As with a car, you can't drive anyone's software without a license. Software is protected by copyright, and the presumption is that only the owner may use it unless they give you permission. A license provides that permission under conditions and with obligations defined by the owner.

The tricky part about open source is that it's extremely easy to get permission to use it. OSS licenses are designed to propagate the software readily. Your company essentially agrees to the obligations without signing piece of paper, just by using the software. It reminds me of my daughter clicking a free offer that ended in my paying for five magazine subscriptions.

James Markwith, an attorney for GE, was also on last week's panel. His sage advice is that you should think of open source as a subset of third party software. You would never use commercial software without understanding its licensing; that applies equally to open source.

But even commercial software is no longer straightforward. What if it contains open source code and your vendor hasn't properly met their obligations? It means you are not properly licensed to run that software. Who can stop you? Well, maybe a court. There is not a lot of precedent, however in theory, an injunction could ruin your day. But aren't you protected by your vendor's license? Maybe to an extent, but maybe not. And, even with vendor indemnification more than one big company has been dragged into a lawsuit.

There may not be a huge risk of getting caught nor the downside catastrophic, but on the other hand, your company probably wants to respect software IP and license requirements. Karen Copenhaver, attorney for the Linux Foundation, said at a recent summit, "Whereas two years ago companies were looking to do the minimum possible to comply, today they believe that how they handle licensing reflects on their reputation."

There are lots of good reasons to do the right thing. For your internal development, that means understanding what open source components are being deployed and the associated licensing obligations. For commercial or outsourced applications, you should be asking your suppliers for a Bill of Materials and associated licenses.

Today the lack of reporting standards puts a burden on vendors, but the industry is addressing this. I'm co-chairing the Software Package Data Exchange working group of FOSSBazaar, part of the Linux Foundation. We are developing a standard way to describe all of the licensing information that applies to a software package. This will provide guidance to and ease the burden on suppliers, and ultimately make it easier for everyone to do the right thing. More on that in a future blog.