Open source licensing minefield looms

With the rise of open source software in the enterprise, companies increasingly run the risk of violating either open source or commercial software licences, legal experts at LinuxWorld have claimed.

The risk centres on applications developed and maintained by internal IT organisations. When developers mix code governed by the General Public Licence (GPL) with proprietary code from a company like Microsoft, they violate both Microsoft's licence and the GPL.

Because incompatible licences are mostly a result of mixing open source code with proprietary software, the threat of licence violations is most pressing for developers who grew up working on proprietary software, according to Bill Weinberg, open source architecture specialist at the Open Source Development Labs.

"The risk is real. But if you can police the code in your own application, it's fine. The challenge is knowing what's in your device or application," he told vnunet.com.

The GPL requires developers to reveal the work performed on a product. If they add proprietary code, the developers are obliged to disclose it. The Free Software Foundation takes action against such violations 20 to 30 times a year.

Companies including Microsoft and Oracle, on the other hand, prohibit customers from mixing their code with any open source code. A breach of this clause can lead to penalty licence fees.

In one instance, Computer Associates ran one of its open source applications through a so-called code scrubber that looks for licence violations and found 10 infringements, a source told vnunet.com.

The risk of mixing open source and proprietary code is a result of the rise of open source within the enterprise, according to Doug Levin, chief executive at software compliance management firm Black Duck Software.

"It is very easy to pick up stray code and put it in your releases. Software no longer necessarily becomes yours. The nature of software development has changed," he told vnunet.com.

Black Duck develops ProtexIP, a product that specialises in software compliance management. The suite checks applications for possible licence violations.