Validating Open Source IP Indemnity
Roberto writes that Sun has agreed to include an Italian dictionary and thesaurus (from the Italian Native-Lang Project team) in the official OpenOffice.org distro. Congrats to Roberto & team!
“…by using the GPL rather than the LGPL for your contribution, it was necessary for Sun’s legal team to conduct an extensive discussion about the implications of distributing it with OpenOffice.org (which as you know is licensed under LGPL).”
Simon’s quote got me thinking about my WAS Community Edition (WAS CE) days. Mixing different licenses in a project isn’t always so clear cut. Even when working with similar licenses, when a large commercial vendor (i.e. a large litigation target) is involved, they tend to be cautious, and want to protect their IP, investment and guard against litigation.
IBM has a rigorous process before we use, and hence distribute, open source software (OSS) code of any license inside an IBM product. Even with WAS CE, which is built with Apache Geronimo, an ASF licensed product, we had to validate that the code was appropriately licensed and that copyrights were being respected. On more than one occasion the WAS CE development team found code that was iffy from a copyright standpoint. The team rewrote the code and contributed it to the Geronimo project.
At the time, I’d suggested we talk about IBM’s OSS usage approval process as a customer value point. What good is indemnity if your OSS vendor doesn’t have procedures which enable them to give IP assurances with confidence? Saying “we own all the IP, so don’t worry” isn’t always the full answer. This is especially true for IP that was contributed by a 3rd party.
For example, let’s say I get some piece of code from the Linux kernel and use it in a personal application for so long that I forget that it’s not actually my IP, but something I copied. Then, I submit some of “my” code, including the IP that I don’t really own, into, for e.g., OpenOffice.org and grant openOffice.org joint copyrights to “my” code. Now what?
Regardless of what license I attached to “my” code that I contributed, there is a potential risk to the openOffice.org project, and Sun (as it distributes the commercial StarOffice distro). What if I contributed someone else’s copyrighted code knowingly? What happens when a larger OSS project is actually built with sub-projects from different communities that aren’t under the stewardship of the larger OSS project?
[Note I’m only using Sun/OpenOffice as an example, you can substitute IBM/Apache Geronimo if you like.]
Yes, the code scanning & checking of IP ownership is in place to protect the vendor, and fortuitously, the OSS project. But shouldn’t customers know the level of “background checks” in place before accepting “indemnity protection”? Why don’t we hear about these “background checks” more often from OSS vendors? Is it because OSS vendors providing indemnity don’t do the checks, or because the only way for a vendor to 100% guard against IP indemnity claims is to go buy an insurance policy.
[Note: We didn’t include “IP background checks” in our WAS CE customer marketing because the legal team didn’t want us to give customers a false sense of security as checks can always miss something. Yeah, the legal team is more cautious as a result of SCO, which is to be expected. But as the example of SCO shows, IP violation claims will almost always hit the largest wallet in the project-vendor-customer chain, so customers are often in the clear regardless of indemnity clauses.]
BTW, please read my disclaimer here.
I am taking a semi-break from IBM life as I return to finish a PhD in Industrial Engineering. I’ve held roles in market intelligence, strategy and product management. I’m ex-product manager of IBM WAS Community Edition, and blog about enterprise open source topics.