Canada: Focus on Technology, November 2006 - Sun Microsystems Shines New Light on Open Source Software: Effectively Managing the Risks of Using Open Source Software

Last Updated: December 4 2006
Sun Microsystems Shines New Light on Open Source Software: Effectively Managing the Risks of Using Open Source Software

On November 13, 2006, Sun Microsystems ("Sun") announced that it would be releasing the source code of its implementations of Java technology as free software 1 under the terms of the GNU General Public License (the "GPL") 2. This phased release, which is scheduled to be completed in the first quarter of 2007, was referred to by Sun as "one of the largest source code contributions under the GPL license". With over 3.8 billion Java technology enabled devices, it also represents one of the most significant moves into the open source software model by a commercial enterprise.

The move by Sun is being hailed by many of the leading supporters of the open source movement as a "bold move". It also serves as an important reminder to organizations that develop and distribute software (either as a stand-alone product or embedded into hardware or other devices) of the increasing pervasiveness of open source software and the risks that are associated with its use.

Open Source Software

While most people involved in the technology industry are familiar with the concept of open source software, a brief overview is necessary for the uninitiated. Most commercially available software (for the purposes of this article referred to as "closed software") is only made available in machine readable form (commonly referred to as "object code"), pursuant to the terms and conditions of a software licence that permits only limited use of the software and prohibits the user from making modifications to the software, or reverse engineering the software to discover its source code. As a result, users of such software are dependent on the supplier for bug fixes and improvements to the software.

Under the open source model, the source code to the software is also made available to the end user. While some are under the mistaken belief that open source software can be used without restriction, software distributed under the open source model, as is the case with closed software, is distributed under the terms and conditions of a software licence. The terms of such open source licences, however, are generally more permissive than closed software licences, and include the right to modify, and redistribute, the source code to others.

The Risks of Open Source Software

Despite the benefit of having access to source code and being able to modify it, many companies have been reluctant to use open source software in their software development activities. This reluctance is due to several risk factors. These include: (i) uncertainty regarding the origins of the software and the reliability of the software programmers; (ii) concerns over potential intellectual property infringement, including patent infringement; (iii) lack of indemnification for infringement claims; (iv) the shifting of risk of errors, viruses, etc. to the licensee (i.e. no warranties); (v) the "viral" nature of some open source licences (e.g. GPL); (vi) the forking of code development; (vii) inadvertent granting of patent rights by distributing open source software; (viii) patent retaliation provisions in some open source licences; (ix) incompatibility of some open source licences with one another 3; (x) uncertainty regarding the interpretation and enforceability of some open source licences; and (xi) potential liability for damages and/or risk of an injunction if use of open source software does not comply with the terms of the applicable licence agreement.

One of the most discussed of the above referenced risk factors is the so-called "viral" nature of some open source licences, such as the GPL. Under the terms of the GPL, any modifications made to the source code which are distributed by the licensee, must also be made available in source code form. In addition, if a licensee wishes to distribute a work that includes or is derived or based on code licensed under the GPL 4, the licensee must distribute the entire work under the terms of the GPL, and must make the source code to the entire work available to its licensees. In the case of Sun's licensing of its Java implementations, it has added what is called the "Class path exception" to the terms applicable to some of its technology. This exception allows for linking code licensed under the Class path exception with closed software without triggering the "viral" effect of the GPL.

For companies that distribute their software under the traditional closed software model, using software licensed under the terms of the GPL (or similar licences) in the development of their closed software products can have unintended and disastrous consequences. By way of example, consider the following scenario:

John is a the Vice-President of sales for an up and coming technology company. In meeting with potential customers, John discovers that while they really like his company's product, it is missing a few features that are found in John's company's main competitor's product. John tells the President and the CTO of his company that sales will likely double if they can add the missing features into the next version of the product.
The request finds it way down to Bob, the beleaguered head of software development, who, already faced with a looming deadline must now find a way to include these features in the next version of the product. He hands the assignment to one of his developers who promptly begins searching the Internet for possible solutions. His developer discovers that there is a company that has developed code that offers the missing features. A licence to use and distribute such code, however, will cost $50,000, plus on-going royalties. In addition, only the object code is made available, and Bob's company will have to enter into an annual maintenance agreement with the supplier to receive bug fixes and new versions. The developer also discovers that a clever programmer from Sweden has developed similar code and has posted the source code on the Internet. Given that there is no budget to pay the licence fees requested by the first supplier, and there is no time to develop the code from scratch, Bob and his developer make what they decide is a "no-brainer" decision. They download the Swedish developer's code and incorporate it into their company's product.
The new version of the product is a success and sales for the company have sky-rocketed. With this success has come increased attention from several companies who express interest in purchasing the company. After reaching a tentative agreement on a purchase price with one of the company's suitors, the prospective buyer discovers some unsettling things during its due diligence review.
First, it discovers that the code licensed from the Swedish developer was licensed under the terms of the GPL. By including the GPL code in its closed software product, and licensing such product under the customary terms of a closed software licence, the company has violated the terms of the GPL. It also learns that the Swedish developer has been sending letters to other companies who have used his software reminding them of their obligations under the GPL, including making available the source code to works in which his code has been incorporated, and threatening to take legal action if they do not comply. The prospective purchaser's due diligence also reveals that the company has made representations and given warranties in its agreements with its large corporate customers that its software does not, and will not, include any third party code licensed under the terms of the GPL. Finally, the prospective purchaser discovers that the company's products include several other instances of open source code, much of which is licensed under the terms of different software licences, the terms of which appear to be incompatible.
Upon such discovery, the negotiations to purchase the company come to a grinding halt as the prospective purchaser indicates that it needs time to assess whether it wishes to proceed with the deal, and if so, what impact these discoveries will have on the purchase price.

As this example demonstrates, the risks associated with using open source software are not trivial.

Managing the Risks of Open Source Software

Despite the risks associated with using open source software, one cannot ignore its benefits. As a result, many organizations have made the decision to use selected open source software in their businesses. In electing to use open source software, however, it is important to implement a strict procedure for evaluating the merits and risks of using each particular item of open source code under consideration. While each organization will need to tailor such procedure to its own needs and structures, some of the common elements found in a typical open source software management procedure include the following:

(a) Open Source Committee

A committee to oversee the management of open source software use in the organization should be created. The committee should include technical, business and legal representation. The committee's purpose is to educate the company's personnel and institute controls over the use of open source software.

(b) Open Source Policy

One of the commonly used devices for educating personnel and controlling the use of open source software is the creation of an open source policy. The policy should educate personnel regarding the risks of using open source software, as well as set out the process for seeking approval to use open source software and the process for ensuring compliance with the policy.

(i) Approval Process

The approval process should be structured in manner that allows for an efficient assessment of each request to use open source software and that results in a well-reasoned "Yes" or "No" response. Again, the approval process should be tailored to the structure of the organization, but in creating an approval process, the following elements should be considered:

A. review of the supplier (e.g. Red Hat v.s. "guy in his basement");

B. search for known problems (e.g. Internet search for any known, or alleged, intellectual property infringement issues);

C. quality control standards - does assessing organization have minimum requirements for code quality, documentation, support, warranties or indemnities?;

D. identify intended use of open source software (e.g. internal use only, modification, combination with other code, redistribution);

E. identify any other sources of code which address problem, including potential for developing in-house; and

F. review of licence terms for open source code - is intended use permissible? Are there licence incompatibility issues? Is the license of the "viral" variety and how will the intended use affect other code developed or used by the organization? Does the licence included mandatory patent license or patent retaliation provisions? Identify compliance obligations.

(ii) Guidelines for Making Modifications

The open source policy should also include guidelines for making and approving modifications to open source software. Questions to be considered include: Will the organization be making modifications to the open source software? If so, are modifications for internal use only or for redistribution? If required by the licence terms, is the organization comfortable with releasing the source code to such modifications?

(iii) Contributions to the Open Source Community

The open source policy should prohibit contributions of the organization's source code to open source projects without approval. If the organization wishes to contribute code to the open source community a full analysis needs to be conducted, including ensuring that the organization has all necessary rights to disclose the source code to others and that the appropriate open source licence terms are chosen. The open source policy should also set out restrictions on an employee who wish to participate in an open source project that is unrelated to his job, including requiring prior disclosure of such participation, that he must not use the organization's resources and equipment in doing so, and that he must not identify his employer.

(iv) Compliance with Open Source Policy

A policy is only useful if it is diligently followed. As a result, it is important that the organization implement measures that allow it to track its adherence to its open source policy. One common method for tracking compliance is the performance of regular audits of software development projects (e.g. using automated auditing tools) for the presence of open source software and comparing the results to the approvals granted during the approval process.

(v) Licensing and M&A Transactions

As we have seen from the example above, it is possible for company executives to be unaware that open source software has been used in the development of its products. As a result, an organization's open source policy should set out the standard of due diligence it requires when licensing or acquiring technology from third parties, or considering an investment or acquisition of a company. At a minimum, the applicable transaction documents should include appropriate representations and warranties regarding the use of open source software (with appropriate carve-outs from any caps on liability). We have also found it useful to have the licensor or target company complete a short open source software questionnaire as part of the due diligence process so as to highlight the importance of the issue and focus attention not only on the use of open source software, but also to try to gain an understanding of the manner in which it is being used and under what licence terms.

Summary and Endnotes

As Sun's recent announcement illustrates, the use of the open source model to distribute software is increasing. While, in the past, open source software might have been dismissed by some as a fringe movement with which commercial software developers need not be concerned, open source software and the impact of its use on your organization can no longer be ignored. As shown above, remaining in the dark regarding the risks associated with the use of open source software can have disastrous consequences for your organization. Such risks, however, may be mitigated by gaining an understanding of open source software and creating appropriate policies and procedures for managing its use.

Footnotes

1. The reader should be aware that, though quite similar, "Free Software" and "Open Source Software" are not synonymous. For convenience, we have chosen to use the term "open source software" in this article to refer to software that falls under either, or both, definitions. Those interested in exploring the differences (and similarities) between Free Software and Open Source Software are encouraged to consult the Free Software Foundation's web site at www.fsf.org and the Open Source Initiative's web site at www.opensource.org .

2. The GPL is a software licence agreement authored by the Free Software Foundation. The GPL is discussed in greater detail below. See also www.fsf.org/licensing/education.

3. For example, the Free Software Foundation currently lists 30 GPL-compatible "free" software licences, 37 GPL-incompatible "free" software licences and 24 non-free, and thus GPL-incompatible, licences on its web site, at www.fsf.org/licensing/licenses/index_html.

4. What qualifies as a work "derived from" or "based upon" a GPL licenced program is the subject of much commentary, question and debate. For the purpose of this article, it is sufficient to state that the answer is not always easy to arrive at.

This article is for information purposes only and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues discussed in this article as they apply to your particular circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
23 Oct 2018, Other, Toronto, Canada

Dentons and SheEO are coming together for an evening of #radicalgenerosity on October 23, 2017. Meet Vicki Saunders, Founder of SheEO, and learn about how SheEO is changing the landscape for female entrepreneurs.

23 Oct 2018, Seminar, Montreal, Canada

Dentons is pleased to invite you to join us for a breakfast seminar as part of the Les Matinées Dentons series on issues relevant to you and your business.

24 Oct 2018, Other, Toronto, Canada

If you build it, claims may come. Join the Dentons Construction group for breakfast and an informative discussion on current topics in construction law.

 
In association with
Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions