In a report on enterprise open source usage released this week, Gartner research director Laurie Wurster stated in rather strong language that companies could face a big intellectual property issue because they are using the software without understanding the IP implications of the licensing language. But is she exaggerating the danger and is there less complexity with open source licenses than with proprietary ones?
What's The Matter Here?
According the Gartner press release announcing the survey results, Gartner found that 69 percent of companies surveyed still have no formal policy for evaluating and cataloguing open source software usage in their organizations, a situation they claim, opens up "huge potential liabilities" related to intellectual-property violations.
In fact, Wurster admonished companies who were purchasing open source for not having more formal policies in place. "Just because something is free doesn't mean that it has no cost," she lectured. "Companies must have a policy for procuring [open source software], deciding which applications will be supported by [open source software], and identifying the intellectual property risk or supportability risk associated with using [it]. Once a policy is in place, then there must be a governance process to enforce it."
Is This Really a Problem?
This is probably a sound idea regardless of whether you are using open source or proprietary software, but the question remains whether she is overstating the problem. I asked Pamela Jones, who covers open source legal issues at the Groklaw blog, what she thought of Wurster's comments and she confirmed my suspicion that Wurster is making a mountain out of a mole hill.
"I think she's overstating it. It's hardly news that licenses need to be complied with, and heaven only knows the EULAs and/or agreements on proprietary licenses can be troublesome. Look at the SCO v. Novell 4-year ring-around-the-rosie on what the terms in a 1995 contract meant," Jones said.
Should You Be Concerned?
The Gartner survey went onto says that lack of governance was the biggest challenge for open source users in the survey. Wurster perceived pain associated with trying to establish sound policies, even though she sees the problem diminishing as open source software finds its way deeper and deeper in to the enterprise.
"Understanding when and how an [open source] alternative may be used is a frustrating process, especially when there are so many license types and forms from which to choose," Wurster said. "As time goes by, many of these concerns will be addressed, but this continues to be a slow process. Increases in [open source] popularity and in the rate of [open source] adoption will drive the required changes."
Maybe so, but Groklaw's Jones believes that Open Source licenses are a lot easier to comply with than proprietary ones and says Wurster is being overly alarmist when she makes these claims. "The license you often see mentioned is the GPL, and it's really quite simple to stay in compliance," Jones said.
Of course, you should always make sure you're in compliance with your licenses, whatever they may be. If you have concerns about open source compliance, Jones recommends you look at a recently published GPL Compliance Guide.
License management will remain a problem regardless of whether software is copy protected or under the GNU GPL. What I think is of greater concern is source code management of open source in the enterprise. Since open source is relatively quick to deploy in instances around an organization, it becomes more difficult for a central IT governance body to manage which versions of the software have been implemented. Also, new modules/components may be built in one department that could be useful elsewhere.
As an example, recently a large media company came to me explaining that they had implemented an open-source digital asset management solution in numerous locations around the company, but they were now having a hard time managing the divergent code bases from those implementations.
This is not an insurmountable challenge: It goes back to good-old IT governance. No matter what kind of software is getting implemented in an enterprise, it really should go through some level of validation from IT, who ultimately has to manage the implementation at some point in the future. Some departments whose relationships with IT might be strained will no doubt not like this recommendation, but at the end of the day, like any marriage, you've just got to work through the kinks in the relationship!