Feeds

Management 'scared' by open source

Suits petrified of covert open-source developers

Internet Security Threat Report 2014

EclipseCon Fear is stalking the corridors of corporate power, as executives sweat over the legal exposure caused by developers using open source software.

And the suits are resorting to play-it-safe legal advice and draconian management techniques in a vain attempt to stop open source crossing their frontier. Tactics include blocking popular sites like SourceForge and banning use of USB drives.

And, such is the hysteria, some business mergers have nearly come undone over the acquirees' use of open source.

In all, developers attending this week's EclipseCon must have had their darkest fears - that senior management is out of touch with the development shop floor - confirmed during a lively panel discussion on intellectual property issues and the risks of blending commercial and open source software.

Attending the panel were IBM, BEA Systems, OpenLogic, Black Duck, and Palamida. Yes, you could call this a case of predictable vendor scaremongering to drum up new business, but don't forget some well known open source cases are already on record - Tivo, Linksys/Cisco, and Progress Software versus MySQL, anyone?

What's behind such shenanigans?

According to Palamida co-founder Jeff Luszcz a disconnect exists between managers who set corporate open source policies and developers supposed to follow them, but who end up covering their tracks to make it seem like they are not using open source. Developers, though, end up using open source because of its ubiquity and not using it "puts them at a competitive disadvantage because their competitors are".

An example of the disconnect? OpenLogic director of community and partner programs Stormy Peters, who outlined the measures taken by one company, said: "We had a customer with a policy of no open source. They ended up blocking SourceForge.net, but people started downloading at home on thumb drives. The company then started saying 'no thumb drives'. You can't keep this up!"

Another problem: the increasingly distributed nature of development makes bans impossible, as offshore teams and outsourcing partners employ open source.

Companies running open source also often make the mistake of thinking they are running a relatively benign, commercial-friendly license like BSD when they are actually using GPL, which has limitations on modification and distribution of code.

And that's a problem because 10 per cent of open source code leaks out of development and into final product, meaning companies really are potentially at risk from rightfully aggrieved software authors. In at least one case, an ISV paid a developer after its product shipped because it contained their GPL'd code.

With GPL 3.0 coming, things ain't going to get any easier - especially for Software as a Service (SaaS). Sit up and pay attention Silicon Valley.

SaaS providers should ensure any modified GPL'd software they use is not deliberately or inadvertently downloaded to the user as this could be considered distribution. "No one can make that call until there has been a court case. [Use] is at your own risk. I'd say be very sure you are not distributing that software," Peters said.

What's creating the confusion? Everyone's favorite: license proliferation. Yes, there might be 58 OSI-approved licenses, but there are also thousands of vanity licenses that vary by only tiny degrees - an interesting fact, given Eclipse created its own (OSI-approved) license that happens to be incompatible with the GPL.

Black Duck president and CEO Doug Levin blamed proliferation and general lack of knowledge among the very legal teams management relies on for creating extreme lock down policies. "That stems from attorneys not being fully educated about open source software. This has to change as more information becomes available." Peters agreed: "Open source has a lot of FUD associated with it...it should be a case of weighing up the risks and the reward."

Among the panel's recommendations: educating managers about open source and licenses, regularly reviewing processes, and monitoring donations to the community. ®

Remote control for virtualized desktops

More from The Register

next story
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Post-Microsoft, post-PC programming: The portable REVOLUTION
Code jockeys: count up and grab your fabulous tablets
Twitter App Graph exposes smartphone spyware feature
You don't want everyone to compile app lists from your fondleware? BAD LUCK
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.