Closing Open-Source Gaps by Developing a Policy
Open-source software is becoming ubiquitous, but companies need to be aware that its use must be carefully managed. Problems can arise because many open-source licenses require that users who incorporate open-source code in their software must make their code available for free (at reproduction cost), permit modifications of the software and permit redistribution without charging a fee.
These obligations could dramatically decrease the value of commercial software that incorporates open source. And the scope of these obligations is unclear. For example, basic license terms in the General Public License (GPL), the most commonly used open-source license, such as derivative work and collective work, are not well defined for software. Another major concern is that the GPL terminates immediately upon any breach of its terms rather than the more common contract approach of providing a period to solve any such breach.
Failure to address these issues can be expensive. A company that uses software without a license is in violation of copyright law and could be liable for significant damages. Similarly, automatic termination means that a company that incorporates open-source software in a consumer product risks millions of dollars in damages if it makes an error in incorporating open-source software.
The use of open-source software is further complicated because the Open Source Initiative has approved over 50 licenses as meeting the Open Source Definition. Many of these licenses are not compatible. For example, a software module licensed under GPL can't be distributed with modules licensed under the Mozilla Public License.
Despite these uncertainties, Fortune 500 companies such as IBM, Google Inc., Wells Fargo & Co., DaimlerChrysler AG and ETrade Financial Corp. use open-source software. Major companies such as IBM, Oracle Corp., Sun Microsystems Inc., Sony Corp. and Hewlett-Packard Co. have incorporated open-source software in their products, and some companies have shifted from a commercial to an open-source model for major products, such as Sun for its Solaris operating system and CA Inc. for it Postgres database software. Even the U.S. Department of Defense, in a recent strategic report on its IT needs, advocated the use of open-source software. However, the uncontrolled use of open-source software can lead to serious problems. Consider that IBM reduced the purchase price for Think Dynamics Inc. by 30% due to uncertainties arising from the use of open source.
Given these uncertainties, software developers and users need to manage the use of open-source software. It is no longer possible to simply prohibit its use. Rather, companies should avoid these problems by adopting an open-source use policy, which should address the following issues:
- Use of open-source components in products for third parties.
- Use of open source for internal purposes.
- Approved usage models.
- Implementation of policy by industry experts or outsourced teams.
- Permitted/forbidden open-source licenses.
- Rules for contribution by employees to open-source projects.
- Use of commercial products (Black Duck/Palmida) to audit use of open-source code.
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Defense throughout the Vulnerability Life Cycle with Alert Logic Threat and Log Manager New security threats are emerging all the time, from new forms of malware and web application exploits that target code vulnerabilities to attacks...
- QA Automation: Reducing Test Execution While Improving Coverage A leading capital investment firm in the US was in need of a comprehensive, cost effective and flexible solution to reduce their existing...
- Protect your brand with Alert Logic PCI DSS compliance solutions Alert logic's cloud-powered solutions help organizations that process, store or transmit credit card data eliminate the burden of PCI compliance. This product brief...
- Expert Panel: Enterprise Mobility and Data Loss Prevention When it comes to enterprise mobility, it's not just about devices, it's about the way people work. Hear this expert panel discuss the...
- Princess Cruises collaborates across the globe in the IBM cloud Norm Ayers, Director of Emergency Response and Social Projects at Princess Cruises explains how IBM and Cloud helped the company rapidly scale its... All Management White Papers | Webcasts