In open source, an unexpected trap - Print Version

In open source, an unexpected trap

By Kevin J. O'Brien International Herald Tribune
FRIDAY, DECEMBER 9, 2005

BERLIN As open-source software spreads to personal computers, servers and Internet networking equipment around the world, so too is the misuse of the rules governing the software - a product that is commonly but often mistakenly thought to be free and unprotected.

Such plagiarism, experts say, has led to a string of lawsuits, created hurdles to technology mergers and opened up a market for products meant to guard against violations.

"Open-source compliance is a big issue," said Mitchell Baker, president of the Mozilla Foundation, which distributes Firefox, the world's most widely used open-source Web browser, installed on 60 million personal computers, or 11 percent of the total.

The problem is that despite its name and reputation, open-source software is distributed with strings attached. While it is true that the software's source code - its binary DNA, so to speak - is open for any programmer to read, adapt and change, there are restrictions and conditions on its use.

Harald Welte, a 26-year-old software developer in Berlin, was peeved in 2003 when he learned that a company in Irvine, California, was selling software that used Netfilter/iptables, a program he had created with five software developers in Australia, Japan, Canada and Germany.

The California company, Linksys, had failed to honor to a critical part of the General Public License, or GPL, the most common of about 90 open-source licenses in use today. Under the GPL, any product that includes a licensed program must publish its underlying source code, that is, the computer instructions as written in a programming language. To make matters worse, Linksys had just been bought for $500 million by Cisco Systems, the world's biggest maker of networking equipment.

After the Free Software Foundation, holder of the GPL license, wrote to Cisco and Linksys to criticize the license breach, Cisco published the source code of the Linksys product, thus giving credibility to the idea of enforcing open-source licenses and spawning new caution among sellers of software.

"This kind of infraction is not as uncommon as one might think," said Welte, whose efforts have also forced Deutsche Telekom, Siemens and smaller European software makers like Allnet, Sitecom and Fortinet, among 50 others, to publish source code because they were selling products based on his software. "Violations are getting more common all the time."

Open-source software is used widely. This year, 69 percent of all Web servers run on open-source software developed by the Apache Foundation, according to NetCraft, an industry research company based in Bath, England.

The open-source Linux operating system runs one-quarter of all file servers in the United States and one in five in Europe, according to International Data Corp. MySQL, an open-source database program developed by a Swedish company, is on six million corporate file servers and claims to have one-third of the global database market.

But Welte and other experts question whether the companies that use these products understand the licensing requirements. Even if the violations are inadvertent, as some watchdogs believe, they are still violations.

The GPL's main requirement is that developers who incorporate open-source software into new products agree to publish the revised source code in its entirety. This is intended to guarantee that open-source software and the innovations it inspires remain open.

Some open-source licenses, like the one Mozilla attaches to its Firefox browser, do not require developers to disclose the entire software code of subsequent innovations, just the relevant subset of binary information used in its new product. By narrowing the disclosure requirement, Baker said, Mozilla aims to accelerate the use of its software by overcoming copyright concerns.

Georg Greve, president of the Free Software Foundation Europe, said complaints about the handling of open-source software and its licenses were rising, although he was unable to quantify the increase. "We have four full-time people who investigate these," he said. "That's not enough."

Welte said he is pressing 35 other complaints against companies accused of misusing his team's open-source router software. Welte was so incensed by the violations he uncovered that he started GPL-violations.org, a Web site to report open-source license violations.

The Free Software Foundation plans to revise the basic terms of the GPL next year for the first time since 1991. The first public meeting on changes is to be held Jan. 16 at the Massachusetts Institute of Technology.

Companies like MySQL can profit from their open-source software in two ways: by maintaining the software for clients or by selling private versions of the software, not covered by the GPL, that companies can manipulate for their own purposes without having to disclose their work.

Heather Meeker, a lawyer who specializes in intellectual property issues at the firm Greenberg Traurig in East Palo Alto, California, said that open-source compliance is becoming crucial in some mergers involving technology companies. Often, sale prices are negotiated lower, Meeker said, if companies cannot vouch that their licenses are in order.

"Tech companies are increasingly using open-source software to fast-track their own development," Meeker said. "These days, every single tech company is using open source in their products."

That is why Lloyd's of London, the world's biggest seller of specialized insurance to businesses, began offering "open-source compliance insurance" last month to companies involved in mergers and acquisitions. The coverage, up to $10 million, offsets losses in valuation caused by open-source violations. The policy costs 1 percent to 3 percent of the total amount insured, said Matthew Hogg, an underwriter at R.J. Kiln, the Lloyd's subsidiary underwriting the software insurance. "What this does is enable people to feel more comfortable about open source and embrace it further," he said.

Ian Lewis, director of science and technology at Miller Insurance Services, a Lloyd's unit that is selling the insurance, said the legal risk of misuse has been growing. Over the last two years, Lewis said, 30 acquired companies have been sued after the buyers learned they had purchased products that violated open-source licenses. "Often, the companies themselves are not aware whether their products comply," Lewis said.

Some, like Cisco, which was forced to publish the code of the router software after its purchase of Linksys, are no longer taking chances. This year Cisco hired Palamida, a San Francisco-based company that screens code for matches against its huge archive of open-source software.

Palamida's search service costs $5,000 to $250,000 a year, depending on the size of the company and the searches needed, said Mark Tolliver, chief executive.

"The use of open-source software is extraordinarily widespread today," said Tolliver, a former chief marketing officer at Sun Microsystems. "I think that most organizations would find that there is open-source software being used in their companies or products that they are not aware of."

That companies as large as Cisco are screening their products for license violations shows that open-source software has come of age, Tolliver said.

ADVERTISER LINKS
Open Source Unmatched Reliability & Security. SUSE Linux From Novell. Learn More. www.Novell.com	Ecommerce Stats Free Guide teaches you to optimize e-commerce results using analytics. www.WebTrends.com	Encryption Software Upgrade to 128-bit SSL Encryption Protect Important Data - Learn More www.VeriSign.com	Linux Network Firewall Easy All-in-One Network Security for your Business. Trial Download. www.Astaro.com