'Infectious' Open Source Software?

Gavo writes "Law firm Chapmann Tripp advises New Zealand State Services Commission that the New Zealand Government should be wary of using 'infectious' open source software. They claim 'While the use of open source software has many benefits, it brings with it a number of legal risks not posed by proprietary or commercial software.'"

The #1 reason why articles like this are BS...

Yes, if you paste OSS code into your software project, you will need to follow their license. As opposed to copying proprietary source code ... which will merely LAND YOU IN COURT for piracy, hacking &/or theft of trade secrets. See, isn't that a much better option?

Between The Lines

"We've noticed a substantial drop in the amount of EULA's being drafted, as well as an air of goodwill and cheer creeping into the normally sour and beligerent computer software industry, leading naturally to a decrease in important economy stimulating litigation.

Time to break out the FUD cakes!"

Of course ....

There's more risk of OSS being called on IP violations. YOU CAN SEE THE CODE!!!!!!!!
MS has been sued how many times now for IP violations? - and that's with people having to either "steal" the code or sue to see it.
Unfortunately, I do see more IP challenges to OSS in the future. On the up side I also see those challenges being handled by the OSS community with rapid patches to remove the problem - unless it's something like BT sueing over links.

Infectious!

It's all true!! I set up one little Linux box, and the next morning my phone, toaster, and kitchen sink were all being freely updated and improved by thousands of collaborators all over the world! Insidious stuff, that open-source.

Recommended Daily Allowance of FUD

The entire slant of the document is incorrect. There are certainly concerns with the open source licenses, especially for someone unfamiliar with them who is used to using proprietary software, tweaking it, and reselling without every publishing the modifications to their clients or to the authors.

But the use of closed source and proprietary software has a generally greater risk due to risk of copyright violation and patent violation and user agreement violation. Simply reverse-engineering a proprietary protocol in order to get your work done or to fix a serious issue in closed source software can cause serious legal problems which are often far greater, even though they are more familiar. And the closed source tools are far more likely to contain backdoors or to have vital features discarded in new revisions, forcing a painful and expensive upgrade process for both software and its configurations to the new setups, or to simply be discarded and the data or tools permanently lost to users.

The shutdown of companies or their abandonment of products is a real problem in the closed source world.

Nothing but the usual FUD

an increased risk of exposure to faults
More public review, code that tends to be of higher quality, and the ability to fix problems yourself

intellectual property claims
And since when proprietary software was free from litigation?

the risk of forced disclosure of confidential code
"confidential code" -- whose? If yours, you wouldn't even be able to put it there otherwise. And someone has to reread the GPL again -- no one says the gov agency in question has to distribute any source of things they use internally. If the agency in question releases some software itself -- that "confidential code" will be disclosed anyway, just in a form that is harder to read. Back in the days, I learned how to program a particular SVGA chipset by debugging through BIOS code, and my asm skills are low -- are you going to tell me that if the "confidential code" has any real value, no one will get to it anyway?

Sigh. Another one.

It's not FUD, it is simply "OSS for the uninitiated - be warned that if you're developing software, you might want to actually read the license of anything else you or your contractors plan to use rather than just ignoring it like you usually do". The general tone is "You can use OSS, but be careful".

It's not terribly well written, mainly because it seems to add a load of guff to licenses which are by and large pretty easy to read. And it uses some contentious terminology which is likely to cause concern. ("Infectious", anyone?)

Doubtless a whole boatload of slashbots who didn't RTFA will be a long in a moment to say "yeah but no but it's microsoft FUD ignore it don't give it publicity etc etc" - I'm not going to debate that one. I actually think it's more likely to be an attempt on the part of the law firm to drum up a bit of business. Something along the lines of "Now you've read this article, contact us for further advice!"

RTF Document

Read the actual document [e.govt.nz], not just the summary. The actual document isn't that bad.

The stuff inside isn't that big a secret to most folks. It mainly boils down to, "Using open source software under licenses we've reviewed is okay, but be careful if you're developing code using open source software that we don't want released to the masses, because under some licenses, we may be obligated to."

In fact, this document is probably a good thing, in spite of a somewhat badly written summary. Check out Chapter 2 [e.govt.nz]:

(a) Only use open source licences that have been legally reviewed, including the GPL, LGPL, CAL, MBSD, MIT, which have been reviewed and are recommended by SSC for use in accordance with this guide.

(b) Obtain performance and intellectual property warranties from the supplier of the open source software, where appropriate and available.

This only makes sense. I can't imagine anyone disagreeing, saying that you should use software with a license we're not familiar with, or to disregard the IP of open source authors.

Also, look just below it. It says that for software development that is for open distribution, it's okay to use open source software. For software that is for limited or closed distribution, don't. Is this new? Am I missing something? If anything, people who are interested in open source software can look at this document as permission to go forward, not as a hinderance!

I mean, I realize that the words "infectious" has negative connotations, but I just don't see this document in and of itself as a bad thing. And even though I'm a strong FOSS advocate, the stuff that's in there is stuff that I would recommend to any company, government or organization to consider in their decision whether to use closed- or open source software.

Re:RTF Document

I mean, I realize that the words "infectious" has negative connotations, but I just don't see this document in and of itself as a bad thing.

You might think that, with your head screwed on properly. However the pointy hairs who read this document are going to go apeshit when they read the emotional words "infectious" and "quarantine".

This document is written for pointy hairs, not engineers. It's designed to scare them into submission, make them freak out and think that open source is going to steal all their company patents, intellectual propery, their baby, and kick their dog too.

Good Point

Legal risks with using software are a real issue in our world.

That's why it would be in the best interests of all computer users and IT decision makers to explore the issue fully, to look closely at what kinds of risks exist, what kinds of risks tend to occur most often in the real world and what their consequences are.

My experience has been that folks using proprietary software are frequently in the position of bending over backwards (particularly in a large corporate or government environment) to make sure that they have licenses for every piece of software that their employees are running on the their PCs. The IT folks spend some serious time auditing to avoid the even larger risk of a BSA audit.

As for legal risks associated with open source software I have yet to encounter any. All I've seen are press reports of legal actions that show no outcome but to prove they were based on frivolous premises and some PR statements talking about legal indemnification which are excellent marketing strategies for certain vendors of proprietary software keenly afraid of their revenue stream becoming commoditised by free and open source software. About the only genuine risk I've seen with FOSS is for developers that disobey the "Share and share alike" GPL by releasing modified binaries without releasing modified source.

Perhaps I'm missing a serious issue and these folks could show some evidence of real people and real companies that have experienced harm due to lack of vigilance concerning the legal risks of FOSS. And they could explain why my personal experience doesn't reflect reality of serious legal risks with hard statistics concerning how much time and money are lost to risk mitigation and handling legal mishaps with users of FOSS compared to users of proprietary software.

Re:and GPL v3 makes this problem worse

For companies that do not want their source code plastered all over the internet, avoiding GPL'd software just makes good sense.

Ehh... sort of. You can still use open-source software: you can develop in emacs on GNU/Linux and write up all the documentation using LyX or OpenOffice or whatever. As long as your product is all your own work that's fine. It's when you start shipping, say... an Integrated Firewall Solution that happens to run on a modified Linux kernel that you might run into GPL issues.

That's the quarrel we generally have with this kind of article: it can confuse the issue between use of GPL software - which you can do freely, even if you don't accept the terms of the GPL itself - and redistribution of GPL software or derived works, which is just plain illegal under standard copyright law unless you do so under the terms of the GPL.