Are Your Licenses Compliant?

If you work with Open Source software every day, you probably do not think for a moment about license compliance. In fact, if you are not an IT manager or professional intellectual property lawyer, you might not even think about it at all. Until you get the phone call.

My last article was back in the first week of January. It was probably written over the Christmas break, before I got the phone call. It was not that I was not expecting the phone call, but I was certainly not expecting to disappear into a morass of legal discussion, code review, and debate sessions that would make Members of Parliament blanch. I was not expecting to be looking for loop holes to make my technical decisions easier or to be losing sleep wondering if we would get our product corrected soon enough to be able to get it out the door this quarter and fulfill the sales that our reps had already booked. And while the company was not blaming me per se, there was certainly a lot of focus on me and my team to clean up what was essentially a five-year-old mistake.

For a variety of reasons, I cannot go into some of the details. But let me explain the situation as best I can. The company makes a product. An appliance actually, and we use a lot of Open Source code. We also license a number of other pieces of code, both quasi-Open Source and proprietary, and bundle them all together into this appliance. One of the contracts with a piece of the quasi-Open Source code expired and we set about the task of renegotiating it. So far, not a big deal right? That was exactly what we were thinking back in the fourth quarter of last year when we started this. It rapidly went downhill. Like so many popular programs, the company we had originally signed the contract with had been bought by a larger company – actually a couple of them. So now we were not dealing with a friendly Open Source company but a group of…what’s the term? Oh, yes, flesh eating lawyers. Still, we were not really asking for much more than a renewal of the contract and more reasonable terms, because we do represent a revenue stream to them. So far, everything was good. And then we discovered that we were using the wrong binaries.

It turns out that the code existed in a licensed version and a community version. We had been using the community version. Slap!

It might have ended there, but we really kind of needed to use the software, so that meant that we had to get back on the good side. Simple, straightforward, and easy right? Just hit the Easy Button® and everything is good right? Um. No.

Again, I won’t dive into the messy details, the late nights, the impossible schedules, the lack of being able to deliver product, the yelling, the screaming, the sleepless nights, the long phone calls and of course the lawyers. I think Shakespeare might have had a point.

The moral of the story is this. Do not wait until the phone rings. Do not wait until the lawyers are sharpening their pencils. Make sure you are in good shape now. The costs -- monetary, health, and welfare -- are not worth it.

For more on how you can get your hands around Open Source licensing, read my post from Day 1 of LinuxCon 2010 and visit the Linux Foundation for more details on their license programs.

Shameless promotion: For those in the Washington, DC area, I will be presenting a talk entitled Linux and Amateur Radio: The Development Divide at the Columbia Area Linux User’s Group’s April meeting. Visit the CALUG’s website for details and directions.


David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

A very well behave flesh

Advantix For Dogs's picture

A very well behave flesh eating lawyers. :-)
couldn't agree more David,
not worth it at all...

Your Gift for Your beloved Dogs in 2011 : Advantix For Dogs

It's a setup

Anonymous's picture


1. you "spent a fair amount or time" talking to Black Duck at Linuxcon (about 6 months ago) and

2. in your article you refer readers to your report of day 1 of same Linuxcon where you "spent a fair amount or time" talking to Black Duck and

3. you wrote a (commercial) case study of the company and product in 2006, and

Yet you forgot about them in the "throes" of your problem, and while writing the article!

Obviously Not in IT

Anonymous's picture

If you were in IT you would know that you get constant "my product can make your world better" spiels (cue birds singing and sunshine beaches)all the time. The fact that the author spoke with them 6 months ago at a conference...material but not damning. Since then, if he's like the rest of us, he's been called by every other vendor there at least once, received at least 2 follow-up "remember me emails," not to mention all of the solicitation from vendors he may have met at other conferences, events, etc. And that doesn't count the contacts from places who troll these types of web sites. Until proven otherwise, suggest you take the man at his word and move on. If you can't do that, there are lots of other folks to read who hide behind Anonymous.

Not certain why the Open Source

Anonymous's picture

1. All products are licensed, and you need to conform to the license. Open Source, Proprietary, doesn't matter. So this was not an Open Source issue, it was a Licensing issue.

2. Not even certain the open sourceness of the issue - I assume it was the release of source code (GPL) from the comment "It turns out that the code existed in a licensed version and a community version. We had been using the community version. Slap!"

If the product is not modified by you, simple answer is add a copy of the source code to a disk included with the product. If it is modified, you can either release the source code anyway (which is allowable under GPL, and may not actually help your competitors), or license the "licensed" version. From an open source standpoint, why couldn't you release the source code?

amateur radio

crlsgms's picture

i would give my tux out to attend this lecture. :(
will it be broadcasted / recorded by any means?

CALUG presentation

David Lane's picture

I will see what I can do about getting it recorded. It wasn't something I had planned on, but I have the tools, so we will see what I can do. In the meantime I need to figure out what I am going to say ;)

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

uhm this 'article' seems to

Anonymous's picture

uhm this 'article' seems to be an ad setup to promo black duck.. i'm not impressed

It wasn't

David Lane's picture

And I resent the implication. While Black Duck can help you prevent the situation I found myself in, I had forgotten about them at the time I wrote the article (and while I was in the throes of the situation as well). I do my best not to promote one vendor or service over another. I am willing to say I have used a product and my results from using it. If this helps you, great, and if not, that's OK too.

In this particular case, Peter points out, quite rightly, that his company could have made things easier for me and my company. He is correct. But I neither told him about the article in advance nor did I write it with them in mind.

I do my best to portray the issues as I see them, and to help the readers of Linux Journal learn from my mistakes.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Is this about android, java,

Anonymous's picture

Is this about android, java, sun and oracle.

Make compliance easy

Peter Vescuso's picture


I agree that developers should focus on code, but they also can't ignore the fact that all open source comes with a license. It's a fact of life, and open source licenses exist because open source developers want something back for their efforts and it's not money, most of the time it's acknowledgment and, if it's GPL code, access to the enhancements. The issue is developers shouldn't have to spend time evaluating licenses and worrying about compliance. At Black Duck we developed our software platform to do just that -- let developers focus on finding or developing the best code for the task at hand, while we automate the compliance, obtaining approval, etc.


Black Duck!

David Lane's picture

I spent a fair amount of time talking with Black Duck at LinuxCon and I have been encouraging my folks to get in contact with you over our issue. They have resisted it to date, but I think that will change.

I certainly encourage anyone who develops and makes money with Open Source code to get Black Duck involved before they get The Call. I would also point out it is a lousy diet program.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack