Stay Posted

short lines


Open Source Software – Freedom and Governance

May 2010


Recent reports and surveys

In its Spring 2009 report, ‘OSS Goes Mainstream’[i], Research consultancy Forrester found Open Source Software (‘OSS’) to top the issues list for software decision makers inside the organisation: what they are looking for most is what will help them “go faster, cheaper, better” – improve integration, reduce cost and stay innovative – and OSS “hit on all these points”.

In a survey[ii] of 175 OSS users across a wide range of application segments concluded at the end of 2009, Black Duck, the leading provider of OSS management services, found that OSS accounted for 20% of the code base of the average product or application surveyed and estimated the cost of developing that OSS code at around $25m per product/application. Black Duck’s CEO commented:

“Driven by a new pragmatism with its roots in creating software more efficiently and effectively, development organizations and companies are using open source to gain significant competitive advantage in a multi-source development process”.

The Forrester report and the Black Duck survey point up the importance, ubiquity and rationale of OSS use in today’s market places. OSS speeds up times to market, frees up expensive development resource for higher value work, tends towards standardisation in a converging world and hastens the trend towards cloud and service based computing.

These trends are reinforced further when you consider the popularity and maturity of leading OSS products - Linux accounts for around 20% of the server operating system market and is increasingly used in embedded applications; the Apache HTTP Server has since the ‘90s been the most popular web server; MySQL is the most widely used database server; and the Firefox web browser continues to gain traction.

Reconciling OSS freedoms and responsibilities: the move towards formal OSS governance

From our standpoint as legal advisors, we’re seeing a much more widespread understanding of the benefits and pitfalls of OSS use and a growing recognition of the desirability of a formal governance system inside the organisation.

The start point is to view OSS as a range of associated licensing techniques, with the GPL family of licences[iii] still the most commonly used[iv]. GPL 2.0 remains the byword for the issue that first drew OSS to the attention of the mainstream corporate legal world – the novel ‘copyleft’ principle of inheritance at Article 2(b) of GPL2: where you distribute your code and it ‘contains or is derived from’ the GPL2 OSS, you must ‘license out’ on the GPL terms under which you ‘licensed in’.

Although there is a growing body of case law (mainly from Germany and the US West Coast) around the edges, there’s still no authoritative case as to the extent of the ‘copyleft’ Article 2(b) GPL 2.0 principle (or indeed whether it is effective at all – although it’s probably fair to say that the general consensus is in favour). This combination of novelty and legal uncertainty, superimposed on technical processes carried out at enormous speed and complexity, can make the practical legal analysis taxing. And ‘copyleft’ is just one of the issues – other common ones include what amounts to ‘distribution’, particularly in the ASP, SaaS and cloud worlds; how other software interacts with Linux; how Java Script code and snippets operate; and treatment of libraries under the LGPL[v].

Five objectives and four pillars for OSS governance

Increasingly, the balance between the benefits that OSS use confers and the responsibilities that OSS licences impose is struck inside the organisation by establishing a proportionate, tailored and effective framework for OSS governance[vi] with five objectives:

  1. know what OSS your organisation is using;
  2. know where that OSS is coming from;
  3. know what that OSS does and where it is being used and re-used;
  4. know who is responsible for what in relation to OSS; and
  5. know that your organisation is complying with its OSS licence obligations;

and four pillars on which OSS governance can rest:

  1. identifying all OSS stakeholders – involve all interested parties, including CEO, CFO, CIO, HR, GC and customers and suppliers;
  2. establishing a written OSS strategy – aligning with corporate, risk management, IP and other statements of organisational strategy;
  3. establishing an OSS policy – a clear, brief, event driven policy setting out the criteria and decision points for OSS use (aiming to settle at least 80% of decisions) and the information to be tracked and collected; and
  4. establishing the processes that will be used to implement the policy – the processes take the strain inOSS governance.

Consider using a pilot in one part of the business to gain experience that can then be rolled out across the organisation as a whole. Consider also an amnesty to get the development community onside – winning hearts and minds.
As a practical matter, the importance of technology platforms to minimise time and cost, increase efficiency, enhance collaboration, improve record-keeping and ensure validation can’t be over-emphasised.

OSS governance to manage OSS use effectively

As OSS use in the organisation achieves ubiquity, OSS governance rapidly becomes a ‘must have’ not just a ‘nice to have’ in order to manage risk and benefit effectively.

Each organisation’s needs will be different, and senior management will need to consider all aspects of this complex question carefully before embarking on OSS governance implementation, as they would any sophisticated software development project.

At the end of the journey, management is looking to have in place integrated processes across all relevant business functions to manage effective use of OSS throughout the organisation. To get there, it should consider disassembling the various pieces into their building block components and threading them together by start point (achievements to date), people (stakeholders) and the strategic, policy and process aspects.

Richard Kemp

[i]http://www.forrester.com/rb/Research/open_source_software_goes_mainstream/q/id/54205/t/2

[ii]http://www.blackducksoftware.com/news/releases/2009-11-10

[iii]GNU General Public License 2.0, GNU GPL 3.0, GNU Lesser Public Licence 2.1, GNU LGPL 3.0 and Affero GPL 3.0 are the most important ones.

[iv]See for example, Black Duck’s ‘top 20 most commonly used licences in Open Source Projects at http://www.blackducksoftware.com/oss/licenses#top20, showing the GPL 2.0 and LGPL 2.1 accounting for 49% and 10% respectively, and those 2 and GPL 3.0 and LGP 3.0 accounting for 65% in total.

[v]For further examples, and a more general introduction to OSS, see our white paper at http://www.kemplittle.com/PDFs/Article_OpenSource_FreedomsResponsibilitiesGovernance_May 2010.pdf

[vi]See also our white paper at http://www.kemplittle.com/PDFs/Article_OpenSource_FreedomsResponsibilitiesGovernance_May 2010.pdf

Sitemap  /  Legal Notices

Kemp Little LLP Solicitors, Cheapside House, 138 Cheapside, London, EC2V 6BJ
Tel: +44 (0) 20 7600 8080    Fax: +44 (0) 20 7600 7878
© 2007 Kemp Little LLP         An Embado.com solution