HomeBlogsDavid Lane's blog

Are Your Licenses Compliant?

Mar 23, 2011  By David Lane
 in
quill and paper

If you work with Open Source software every day, you probably do not think for a moment about license compliance. In fact, if you are not an IT manager or professional intellectual property lawyer, you might not even think about it at all. Until you get the phone call.

My last article was back in the first week of January. It was probably written over the Christmas break, before I got the phone call. It was not that I was not expecting the phone call, but I was certainly not expecting to disappear into a morass of legal discussion, code review, and debate sessions that would make Members of Parliament blanch. I was not expecting to be looking for loop holes to make my technical decisions easier or to be losing sleep wondering if we would get our product corrected soon enough to be able to get it out the door this quarter and fulfill the sales that our reps had already booked. And while the company was not blaming me per se, there was certainly a lot of focus on me and my team to clean up what was essentially a five-year-old mistake.

For a variety of reasons, I cannot go into some of the details. But let me explain the situation as best I can. The company makes a product. An appliance actually, and we use a lot of Open Source code. We also license a number of other pieces of code, both quasi-Open Source and proprietary, and bundle them all together into this appliance. One of the contracts with a piece of the quasi-Open Source code expired and we set about the task of renegotiating it. So far, not a big deal right? That was exactly what we were thinking back in the fourth quarter of last year when we started this. It rapidly went downhill. Like so many popular programs, the company we had originally signed the contract with had been bought by a larger company – actually a couple of them. So now we were not dealing with a friendly Open Source company but a group of…what’s the term? Oh, yes, flesh eating lawyers. Still, we were not really asking for much more than a renewal of the contract and more reasonable terms, because we do represent a revenue stream to them. So far, everything was good. And then we discovered that we were using the wrong binaries.

It turns out that the code existed in a licensed version and a community version. We had been using the community version. Slap!

It might have ended there, but we really kind of needed to use the software, so that meant that we had to get back on the good side. Simple, straightforward, and easy right? Just hit the Easy Button® and everything is good right? Um. No.

Again, I won’t dive into the messy details, the late nights, the impossible schedules, the lack of being able to deliver product, the yelling, the screaming, the sleepless nights, the long phone calls and of course the lawyers. I think Shakespeare might have had a point.

The moral of the story is this. Do not wait until the phone rings. Do not wait until the lawyers are sharpening their pencils. Make sure you are in good shape now. The costs -- monetary, health, and welfare -- are not worth it.

For more on how you can get your hands around Open Source licensing, read my post from Day 1 of LinuxCon 2010 and visit the Linux Foundation for more details on their license programs.

Shameless promotion: For those in the Washington, DC area, I will be presenting a talk entitled Linux and Amateur Radio: The Development Divide at the Columbia Area Linux User’s Group’s April meeting. Visit the CALUG’s website for details and directions.

______________________

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

A very well behave flesh

Advantix For Dogs's picture
Submitted by Advantix For Dogs on Thu, 06/23/2011 - 23:44.

A very well behave flesh eating lawyers. :-)
couldn't agree more David,
not worth it at all...

Your Gift for Your beloved Dogs in 2011 : Advantix For Dogs

It's a setup

Anonymous's picture
Submitted by Anonymous (not verified) on Fri, 03/25/2011 - 03:14.

So,

1. you "spent a fair amount or time" talking to Black Duck at Linuxcon (about 6 months ago) and

2. in your article you refer readers to your report of day 1 of same Linuxcon where you "spent a fair amount or time" talking to Black Duck and

3. you wrote a (commercial) case study of the company and product in 2006, and

Yet you forgot about them in the "throes" of your problem, and while writing the article!

Obviously Not in IT

Anonymous's picture
Submitted by Anonymous (not verified) on Fri, 03/25/2011 - 10:14.

If you were in IT you would know that you get constant "my product can make your world better" spiels (cue birds singing and sunshine beaches)all the time. The fact that the author spoke with them 6 months ago at a conference...material but not damning. Since then, if he's like the rest of us, he's been called by every other vendor there at least once, received at least 2 follow-up "remember me emails," not to mention all of the solicitation from vendors he may have met at other conferences, events, etc. And that doesn't count the contacts from places who troll these types of web sites. Until proven otherwise, suggest you take the man at his word and move on. If you can't do that, there are lots of other folks to read who hide behind Anonymous.

Not certain why the Open Source

Anonymous's picture
Submitted by Anonymous (not verified) on Thu, 03/24/2011 - 13:12.

1. All products are licensed, and you need to conform to the license. Open Source, Proprietary, doesn't matter. So this was not an Open Source issue, it was a Licensing issue.

2. Not even certain the open sourceness of the issue - I assume it was the release of source code (GPL) from the comment "It turns out that the code existed in a licensed version and a community version. We had been using the community version. Slap!"

If the product is not modified by you, simple answer is add a copy of the source code to a disk included with the product. If it is modified, you can either release the source code anyway (which is allowable under GPL, and may not actually help your competitors), or license the "licensed" version. From an open source standpoint, why couldn't you release the source code?

amateur radio

crlsgms's picture
Submitted by crlsgms on Thu, 03/24/2011 - 11:59.

i would give my tux out to attend this lecture. :(
will it be broadcasted / recorded by any means?

CALUG presentation

David Lane's picture
Submitted by David Lane on Wed, 04/06/2011 - 09:17.

I will see what I can do about getting it recorded. It wasn't something I had planned on, but I have the tools, so we will see what I can do. In the meantime I need to figure out what I am going to say ;)

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

uhm this 'article' seems to

Anonymous's picture
Submitted by Anonymous (not verified) on Thu, 03/24/2011 - 08:53.

uhm this 'article' seems to be an ad setup to promo black duck.. i'm not impressed

It wasn't

David Lane's picture
Submitted by David Lane on Thu, 03/24/2011 - 11:47.

And I resent the implication. While Black Duck can help you prevent the situation I found myself in, I had forgotten about them at the time I wrote the article (and while I was in the throes of the situation as well). I do my best not to promote one vendor or service over another. I am willing to say I have used a product and my results from using it. If this helps you, great, and if not, that's OK too.

In this particular case, Peter points out, quite rightly, that his company could have made things easier for me and my company. He is correct. But I neither told him about the article in advance nor did I write it with them in mind.

I do my best to portray the issues as I see them, and to help the readers of Linux Journal learn from my mistakes.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Is this about android, java,

Anonymous's picture
Submitted by Anonymous (not verified) on Wed, 03/23/2011 - 11:30.

Is this about android, java, sun and oracle.

Make compliance easy

Peter Vescuso's picture
Submitted by Peter Vescuso (not verified) on Wed, 03/23/2011 - 11:22.

David,

I agree that developers should focus on code, but they also can't ignore the fact that all open source comes with a license. It's a fact of life, and open source licenses exist because open source developers want something back for their efforts and it's not money, most of the time it's acknowledgment and, if it's GPL code, access to the enhancements. The issue is developers shouldn't have to spend time evaluating licenses and worrying about compliance. At Black Duck we developed our software platform to do just that -- let developers focus on finding or developing the best code for the task at hand, while we automate the compliance, obtaining approval, etc.

Peter

Black Duck!

David Lane's picture
Submitted by David Lane on Wed, 03/23/2011 - 11:42.

I spent a fair amount of time talking with Black Duck at LinuxCon and I have been encouraging my folks to get in contact with you over our issue. They have resisted it to date, but I think that will change.

I certainly encourage anyone who develops and makes money with Open Source code to get Black Duck involved before they get The Call. I would also point out it is a lousy diet program.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions