|
| Recent
Articles |
Good Information Security Resources
The month of Apple Bugs is just about over with, and the Month of Kernel bugs is over with, but still the zero day tracker keeps on plugging along and giving out some interesting information that is of a lot of use. Zone H still keeps tracks of when systems get defaced, P2P...
Common Language Equates To Common Goals
Over at Dark Reading, Dr. Chris Pierson an attorney with Lewis and Roca discuses the impacts of not being able to communicate between business, security, IT, and others within the company. The interesting bit of the...
Open Source Advertising Not Necessary?
Okay, here's another one of Dana's stories that I take exception to. Note that I respect Dana's writings and I read his blog daily. In Reputation vs. marketing in open source by ZDNet's Dana Blankenhorn, he says...
Managing Risk In Information Technology
As information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives. There are two fundamental components of effective...
The Ex-lawyer And Red Hat Support
When I bought my first home, I used a lawyer that a friend referred me to. The lawyer was great, thorough, responded quickly and took the time to explain things in plain English. I used him again 2 years later for an investment and found that he was still thorough...
Google Not Having Luck Hiring In India
The Times Of India reports that Google has had trouble finding enough quality talent to hire for its Indian offices. India may have an exploding IT industry, but Google has been notorious in setting its standards...
|
 |
|
02.06.07
Validating Open Source IP Indemnity
 By Savio Rodrigues
Roberto writes that Sun has agreed to include an Italian dictionary and thesaurus (from the Italian Native-Lang Project team) in the official OpenOffice.org distro. Congrats to Roberto & team!
In explaining why the decision from OpenOffice.org took longer than Roberto & team expected, Sun's Simon Phipps (Chief Open Source Officer) explained:
"...by using the GPL rather than the LGPL for your contribution, it was necessary for Sun's legal team to conduct an extensive discussion about the implications of distributing it with OpenOffice.org (which as you know is licensed under LGPL)."
Simon's quote got me thinking about my WAS Community Edition (WAS CE) days. Mixing different licenses in a project isn't always so clear cut. Even when working with similar licenses, when a large commercial vendor (i.e. a large litigation target) is involved, they tend to be cautious, and want to protect their IP, investment and guard against litigation.
IBM has a rigorous process before we use, and hence distribute, open source software (OSS) code of any license inside an IBM product. Even with WAS CE, which is built with Apache Geronimo, an ASF licensed product, we had to validate that the code was appropriately licensed and that copyrights were being respected. On more than one occasion the WAS CE development team found code that was iffy from a copyright standpoint. The team rewrote the code and contributed it to the Geronimo project.
At the time, I'd suggested we talk about IBM's OSS usage approval process as a customer value point. What good is indemnity if your OSS vendor doesn't have procedures which enable them to give IP assurances with confidence? Saying "we own all the IP, so don't worry" isn't always the full answer. This is especially true for IP that was contributed by a 3rd party.
For example, let's say I get some piece of code from the Linux kernel and use it in a personal application for so long that I forget that it's not actually my IP, but something I copied. Then, I submit some of "my" code, including the IP that I don't really own, into, for e.g., OpenOffice.org and grant openOffice.org joint copyrights to "my" code. Now what?
Regardless of what license I attached to "my" code that I contributed, there is a potential risk to the openOffice.org project, and Sun (as it distributes the commercial StarOffice distro). What if I contributed someone else's copyrighted code knowingly? What happens when a larger OSS project is actually built with sub-projects from different communities that aren't under the stewardship of the larger OSS project?
[Note I'm only using Sun/OpenOffice as an example, you can substitute IBM/Apache Geronimo if you like.]
Yes, the code scanning & checking of IP ownership is in place to protect the vendor, and fortuitously, the OSS project. But shouldn't customers know the level of "background checks" in place before accepting "indemnity protection"? Why don't we hear about these "background checks" more often from OSS vendors? Is it because OSS vendors providing indemnity don't do the checks, or because the only way for a vendor to 100% guard against IP indemnity claims is to go buy an insurance policy.
[Note: We didn't include "IP background checks" in our WAS CE customer marketing because the legal team didn't want us to give customers a false sense of security as checks can always miss something. Yeah, the legal team is more cautious as a result of SCO, which is to be expected. But as the example of SCO shows, IP violation claims will almost always hit the largest wallet in the project-vendor-customer chain, so customers are often in the clear regardless of indemnity clauses.]
It would be interesting to hear whether Sun does any checking on 3rd party IP contributed to OpenOffice (and their other OSS projects). What about OSS vendors like Red Hat or OpenLogic?
BTW, please read my disclaimer here.
Comments
About the Author:
I am taking a semi-break from IBM life as I return to finish a PhD in Industrial Engineering. I've held roles in market intelligence, strategy and product management. I'm ex-product manager of IBM WAS Community Edition, and blog about enterprise open source topics.
|
