The Linux Foundation has released a new course for developers looking at licensing compliance. The course is called Open Source Compliance Basics for Developers (LFC191), is free and is self-paced. Importantly this is not just a course for developers and is something that IT managers, project managers and even legal teams should consider taking.
The goal of the course is to ensure that developers understand how open source licensing works. Many people believe that open source means free to use however they want. That is not the case and there are numerous issues ranging from licenses around copyright, patents, requirements to file changes and the right to use and distribute code that need to be understood. The problem is that few really understand these issues and often inadvertently break the conditions attached to open source code.
According to Linux Foundation Executive Director Jim Zemlin: “The easier it is to understand, comply with and manage open source software and licensing, the more code that gets shared for everyone and the more innovation that takes place. By lowering the cost and complexity of compliance we hope we can increase the ability for everyone to share.”
The risks of litigation are real
Meeting legal requirements is one of the key elements that large software companies factor in to their release cycles. They have teams that check for software patents that may impact their code, make sure that every copyright is acknowledged and look at the detailed usage clauses in any third-party software that they use.
One of the reasons for doing this is to avoid expensive litigation from companies often referred to as patent trolls. These are companies that have purchased large software patent libraries. Their business model is to then use those libraries to bring lawsuits against developers and over the last decade we’ve seen a number of high profile lawsuits against companies such as IBM, Microsoft, Google and others. Some of these have been dismissed by the courts but others have been upheld costing hundreds of millions of dollars in both fines and costs.
While open source developers might think that they are immune from this type of issue they are not. It may be that a piece of software that has been released as open source is later alleged to have infringed a software patent. This would mean that anyone using that software could be found guilty of an infringement.
To help reduce the impact of patent claims Google, IBM, Red Hat, SUSE, NEC, Philips and Sony created the Open Innovation Network. The goal was to create a pool of defensive patents that could be used to protect Linux and developers using Linux. This has been successful with over 1946 companies signing up to the OIN to use their patents to defend themselves from attack.
There are similar issues with copyright. Most open source code allows for code to be used, reused, distributed, modified and a range of other actions taken. However, in the copyright clause that grants those rights there is often a statement along the lines of: “The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.” Failure to do this would leave a developer at risk of legal action.
The Linux Foundation Open Compliance courses
This course is just the latest in a series of courses from the Linux Foundation as part of its Open Compliance series. Other courses in this series look at best practices for open source compliance and creating a compliance approach across software development.
There is a real need for companies to protect themselves when working with open source. The first and most important line of defence is always to get it right before using or distributing code. The problem for many organisations is the misunderstanding that open source comes with no legal requirements or restrictions. This is a false premise that could cost a company a lot of money.
By making this course free available the Linux Foundation is doing its part to raise awareness. The next step is down to developers, IT managers and even the legal department to understand what is involved in using open source code.
Companies that use software should already have an item on their risk register that covers the lack of software licenses. Those companies that use open source software should also have one that covers license infringements as the penalties can be severe if the software is being used for commercial gain. This course is one measure that can be used to help mitigate such a risk. However it is not enough to merely take the course, companies need to apply the lessons learnt from doing so in order to reduce the business risk.