I gave a talk at LinuxWorld called "Avoiding Open Source Lawsuits: Five Steps to Effective Open Source Governance in the Enterprise." I suppose it wasn’t the wisest title since my point was to dispell FUD (fear, uncertainty and doubt) not create FUD. (I borrowed the title (and a few slides) from an OpenLogic webinar, although my talk was substantially different.)
The point of my talk was that although I think there’s very little chance you’ll get sued for using open source software, if you (or your manager) are worried about it, there’s a few things you can do to dispell those fears. (My goal is to convince more people to use open source software by dispelling myths and giving people tools to convince the opposition.) By having clear policies and processes for dealing with open source software, a company can ensure that not only will they not be doing anything they could be sued for, but if they are sued (or just approached by someone like the SFLC), they can show them that they were doing their best to comply with open source licenses. If you show you are doing the right thing, open source developers and those that represent them are more likely to help you straighten things out than they are to sue you. Open source software developers in general want their software to be used!
So what should you do?
- Find out what open source software you are using. For this I recommend OSSDiscovery. (And once you’re done, go ahead and submit it to the Open Source Census to help spread the word about how much open source software is being used.) But whether you use the tools are not, you should keep track of what you are using.
- Establish a clear open source policy. This should include not only guidelines for how your company should use open source software but also training so that developers can evaluate licenses and know when to get help. (For help with this see FOSSBazaar.org.)
- Set up a review board. There are always exceptions, new licenses, different ways of using open source software and your employees should have access to experts to help them make an educated decision as a company.
- Make sure you are complying with the licenses you are using. To me, the hardest part of complying with open source software licenses is knowing what licenses you are using. Sometimes projects contain lots of different licenses or the project you want to use depends on a number of other projects, all with their own license. Tools like Fossology and OpenLogic’s OLEX can help determine which licenses you are using.
- Track and audit. Show that you are tracking what open source software you are using and periodically auditing it and I am sure that if you are apporached by the FSF or SFLC, that they will be more than happy to work with you.
The SFLC is not suing to make money for the BusyBox developers – they are suing to make sure that people are using GPL licensed software appropriately. I did mention a few lawsuits in my talk but it wasn’t to point out how much money people were making (I’m not sure anyone has made any money off suing for misbehavior around open source software) but rather to give specific examples of what could happen. All too often I think people don’t use open source software because they are afraid of "being sued" and they aren’t even really sure what they could be sued for.
To make a long story short, I think there’s little chance that a company that is trying to do the right thing will get sued for using open source software. Especially if they have clear policies and processes that show they are actively tracking, reviewing and managing the open source software they use just like they would track their use of proprietary software.