Canada: Focus on Technology, November 2006 - Sun Microsystems Shines New Light on Open Source Software: Effectively Managing the Risks of Using Open Source Software

Last Updated: December 4 2006
Sun Microsystems Shines New Light on Open Source Software: Effectively Managing the Risks of Using Open Source Software

On November 13, 2006, Sun Microsystems ("Sun") announced that it would be releasing the source code of its implementations of Java technology as free software 1 under the terms of the GNU General Public License (the "GPL") 2. This phased release, which is scheduled to be completed in the first quarter of 2007, was referred to by Sun as "one of the largest source code contributions under the GPL license". With over 3.8 billion Java technology enabled devices, it also represents one of the most significant moves into the open source software model by a commercial enterprise.

The move by Sun is being hailed by many of the leading supporters of the open source movement as a "bold move". It also serves as an important reminder to organizations that develop and distribute software (either as a stand-alone product or embedded into hardware or other devices) of the increasing pervasiveness of open source software and the risks that are associated with its use.

Open Source Software

While most people involved in the technology industry are familiar with the concept of open source software, a brief overview is necessary for the uninitiated. Most commercially available software (for the purposes of this article referred to as "closed software") is only made available in machine readable form (commonly referred to as "object code"), pursuant to the terms and conditions of a software licence that permits only limited use of the software and prohibits the user from making modifications to the software, or reverse engineering the software to discover its source code. As a result, users of such software are dependent on the supplier for bug fixes and improvements to the software.

Under the open source model, the source code to the software is also made available to the end user. While some are under the mistaken belief that open source software can be used without restriction, software distributed under the open source model, as is the case with closed software, is distributed under the terms and conditions of a software licence. The terms of such open source licences, however, are generally more permissive than closed software licences, and include the right to modify, and redistribute, the source code to others.

The Risks of Open Source Software

Despite the benefit of having access to source code and being able to modify it, many companies have been reluctant to use open source software in their software development activities. This reluctance is due to several risk factors. These include: (i) uncertainty regarding the origins of the software and the reliability of the software programmers; (ii) concerns over potential intellectual property infringement, including patent infringement; (iii) lack of indemnification for infringement claims; (iv) the shifting of risk of errors, viruses, etc. to the licensee (i.e. no warranties); (v) the "viral" nature of some open source licences (e.g. GPL); (vi) the forking of code development; (vii) inadvertent granting of patent rights by distributing open source software; (viii) patent retaliation provisions in some open source licences; (ix) incompatibility of some open source licences with one another 3; (x) uncertainty regarding the interpretation and enforceability of some open source licences; and (xi) potential liability for damages and/or risk of an injunction if use of open source software does not comply with the terms of the applicable licence agreement.

One of the most discussed of the above referenced risk factors is the so-called "viral" nature of some open source licences, such as the GPL. Under the terms of the GPL, any modifications made to the source code which are distributed by the licensee, must also be made available in source code form. In addition, if a licensee wishes to distribute a work that includes or is derived or based on code licensed under the GPL 4, the licensee must distribute the entire work under the terms of the GPL, and must make the source code to the entire work available to its licensees. In the case of Sun's licensing of its Java implementations, it has added what is called the "Class path exception" to the terms applicable to some of its technology. This exception allows for linking code licensed under the Class path exception with closed software without triggering the "viral" effect of the GPL.

For companies that distribute their software under the traditional closed software model, using software licensed under the terms of the GPL (or similar licences) in the development of their closed software products can have unintended and disastrous consequences. By way of example, consider the following scenario:

John is a the Vice-President of sales for an up and coming technology company. In meeting with potential customers, John discovers that while they really like his company's product, it is missing a few features that are found in John's company's main competitor's product. John tells the President and the CTO of his company that sales will likely double if they can add the missing features into the next version of the product.
The request finds it way down to Bob, the beleaguered head of software development, who, already faced with a looming deadline must now find a way to include these features in the next version of the product. He hands the assignment to one of his developers who promptly begins searching the Internet for possible solutions. His developer discovers that there is a company that has developed code that offers the missing features. A licence to use and distribute such code, however, will cost $50,000, plus on-going royalties. In addition, only the object code is made available, and Bob's company will have to enter into an annual maintenance agreement with the supplier to receive bug fixes and new versions. The developer also discovers that a clever programmer from Sweden has developed similar code and has posted the source code on the Internet. Given that there is no budget to pay the licence fees requested by the first supplier, and there is no time to develop the code from scratch, Bob and his developer make what they decide is a "no-brainer" decision. They download the Swedish developer's code and incorporate it into their company's product.
The new version of the product is a success and sales for the company have sky-rocketed. With this success has come increased attention from several companies who express interest in purchasing the company. After reaching a tentative agreement on a purchase price with one of the company's suitors, the prospective buyer discovers some unsettling things during its due diligence review.
First, it discovers that the code licensed from the Swedish developer was licensed under the terms of the GPL. By including the GPL code in its closed software product, and licensing such product under the customary terms of a closed software licence, the company has violated the terms of the GPL. It also learns that the Swedish developer has been sending letters to other companies who have used his software reminding them of their obligations under the GPL, including making available the source code to works in which his code has been incorporated, and threatening to take legal action if they do not comply. The prospective purchaser's due diligence also reveals that the company has made representations and given warranties in its agreements with its large corporate customers that its software does not, and will not, include any third party code licensed under the terms of the GPL. Finally, the prospective purchaser discovers that the company's products include several other instances of open source code, much of which is licensed under the terms of different software licences, the terms of which appear to be incompatible.
Upon such discovery, the negotiations to purchase the company come to a grinding halt as the prospective purchaser indicates that it needs time to assess whether it wishes to proceed with the deal, and if so, what impact these discoveries will have on the purchase price.

As this example demonstrates, the risks associated with using open source software are not trivial.

Managing the Risks of Open Source Software

Despite the risks associated with using open source software, one cannot ignore its benefits. As a result, many organizations have made the decision to use selected open source software in their businesses. In electing to use open source software, however, it is important to implement a strict procedure for evaluating the merits and risks of using each particular item of open source code under consideration. While each organization will need to tailor such procedure to its own needs and structures, some of the common elements found in a typical open source software management procedure include the following:

(a) Open Source Committee

A committee to oversee the management of open source software use in the organization should be created. The committee should include technical, business and legal representation. The committee's purpose is to educate the company's personnel and institute controls over the use of open source software.

(b) Open Source Policy

One of the commonly used devices for educating personnel and controlling the use of open source software is the creation of an open source policy. The policy should educate personnel regarding the risks of using open source software, as well as set out the process for seeking approval to use open source software and the process for ensuring compliance with the policy.

(i) Approval Process

The approval process should be structured in manner that allows for an efficient assessment of each request to use open source software and that results in a well-reasoned "Yes" or "No" response. Again, the approval process should be tailored to the structure of the organization, but in creating an approval process, the following elements should be considered:

A. review of the supplier (e.g. Red Hat v.s. "guy in his basement");

B. search for known problems (e.g. Internet search for any known, or alleged, intellectual property infringement issues);

C. quality control standards - does assessing organization have minimum requirements for code quality, documentation, support, warranties or indemnities?;

D. identify intended use of open source software (e.g. internal use only, modification, combination with other code, redistribution);

E. identify any other sources of code which address problem, including potential for developing in-house; and

F. review of licence terms for open source code - is intended use permissible? Are there licence incompatibility issues? Is the license of the "viral" variety and how will the intended use affect other code developed or used by the organization? Does the licence included mandatory patent license or patent retaliation provisions? Identify compliance obligations.

(ii) Guidelines for Making Modifications

The open source policy should also include guidelines for making and approving modifications to open source software. Questions to be considered include: Will the organization be making modifications to the open source software? If so, are modifications for internal use only or for redistribution? If required by the licence terms, is the organization comfortable with releasing the source code to such modifications?

(iii) Contributions to the Open Source Community

The open source policy should prohibit contributions of the organization's source code to open source projects without approval. If the organization wishes to contribute code to the open source community a full analysis needs to be conducted, including ensuring that the organization has all necessary rights to disclose the source code to others and that the appropriate open source licence terms are chosen. The open source policy should also set out restrictions on an employee who wish to participate in an open source project that is unrelated to his job, including requiring prior disclosure of such participation, that he must not use the organization's resources and equipment in doing so, and that he must not identify his employer.

(iv) Compliance with Open Source Policy

A policy is only useful if it is diligently followed. As a result, it is important that the organization implement measures that allow it to track its adherence to its open source policy. One common method for tracking compliance is the performance of regular audits of software development projects (e.g. using automated auditing tools) for the presence of open source software and comparing the results to the approvals granted during the approval process.

(v) Licensing and M&A Transactions

As we have seen from the example above, it is possible for company executives to be unaware that open source software has been used in the development of its products. As a result, an organization's open source policy should set out the standard of due diligence it requires when licensing or acquiring technology from third parties, or considering an investment or acquisition of a company. At a minimum, the applicable transaction documents should include appropriate representations and warranties regarding the use of open source software (with appropriate carve-outs from any caps on liability). We have also found it useful to have the licensor or target company complete a short open source software questionnaire as part of the due diligence process so as to highlight the importance of the issue and focus attention not only on the use of open source software, but also to try to gain an understanding of the manner in which it is being used and under what licence terms.

Summary and Endnotes

As Sun's recent announcement illustrates, the use of the open source model to distribute software is increasing. While, in the past, open source software might have been dismissed by some as a fringe movement with which commercial software developers need not be concerned, open source software and the impact of its use on your organization can no longer be ignored. As shown above, remaining in the dark regarding the risks associated with the use of open source software can have disastrous consequences for your organization. Such risks, however, may be mitigated by gaining an understanding of open source software and creating appropriate policies and procedures for managing its use.


1. The reader should be aware that, though quite similar, "Free Software" and "Open Source Software" are not synonymous. For convenience, we have chosen to use the term "open source software" in this article to refer to software that falls under either, or both, definitions. Those interested in exploring the differences (and similarities) between Free Software and Open Source Software are encouraged to consult the Free Software Foundation's web site at and the Open Source Initiative's web site at .

2. The GPL is a software licence agreement authored by the Free Software Foundation. The GPL is discussed in greater detail below. See also

3. For example, the Free Software Foundation currently lists 30 GPL-compatible "free" software licences, 37 GPL-incompatible "free" software licences and 24 non-free, and thus GPL-incompatible, licences on its web site, at

4. What qualifies as a work "derived from" or "based upon" a GPL licenced program is the subject of much commentary, question and debate. For the purpose of this article, it is sufficient to state that the answer is not always easy to arrive at.

This article is for information purposes only and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues discussed in this article as they apply to your particular circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions