Subscribe by Email

Your email:

Connect With Us!

Current Articles | RSS Feed RSS Feed

Reflections on 2011: Milestones in Open Source Compliance


What has 2011 meant for open source legal issues and license compliance?  Regardless of what holiday you celebrate or whether you celebrate at all, it seems this time of year inspires reflection.  As I gaze out my office window at the snow-sprinkled Rocky Mountains, I can't help but apply that same reverie to the open source software world. What significant events have occurred? Which legal cases have been decided? How have we grown? Where are we going?

Of course, those questions are answered both objectively and subjectively.  Objectively in the sense that some events, cases, or growth are significant enough for anyone in this world to notice.  Subjectively in the sense that the perspective of some events, cases, or growth is intrinsically filtered by the lens through which we each look - in my case, the lens of a law geek (because anyone who enjoys reading appellate opinions, is, ipso facto, at least a little geeky) who is ever-increasingly embracing her techno-geek side (much to the delight of some of my co-workers) and fully embedded in the world of open source license interpretation and compliance.

1) SPDX Workgroup, organized under the Linux Foundation umbrella, releases version 1.0 of the Software Package Data Exchange® (SPDXTM) standard.  An impressive collaborative effort by industry and community participants came to fruition with the official release of SPDX, a standard format for communicating software provenance, open source license, and copyright information across the supply chain.  By creating a standardized way to report this information, efficiency is increased by reducing redundant work, thus allowing more focus and effort on open source license compliance.  This critical first step will provide a stepping stone to enable further developments to aide reporting and compliance as industry leaders adopt and adapt SPDX.

2)  The Regional Court of Berlin confirms that users are indeed allowed to modify and install GPL software shipped as part of the firmware of an embedded device.  This case involved plaintiff, AVM, which makes Linux-based DSL routers and defendant, Cybits, which makes an internet filtering device.  Cybits' device is installed on the AVM router by downloading the firmware, running a program that modifies the Linux kernel to add a user-space program, and re-installing the modified version.  AVM filed suit claiming, among other things, any modification of any software included with the firmware constitutes copyright infringement.  The court reasoned that the firmware is a collective work; because the GPL clearly grants the right to modify, those portions of the router firmware that are licensed under GPL can be modified. Thus, AVM cannot restrict such activity.  While this outcome may not sound shocking, with so little jurisprudence on the interpretation of open source licenses, judicial confirmation of what the open source world has come to assume is always worthy of attention.   (For more details about the case, check out FSFE's writeup or LWN's article which includes the legal perspective from lawyer, Till Jaeger.)

3)  Open source software adoption leaves the era of denial.  When performing open source audits for our customers, we always ask what open source software, if any, is in the codebase to be scanned.  This is really a trick question, as we know that every audit we have performed has revealed more open source software present than expected.  However, we've noticed a shift in the answers.  It was not so long ago that we occasionally heard, "we don't use any open source" as an answer or what we would refer to as denial.  In 2011, the answers have changed to resemble something more like acceptance, along with an increased sophistication in the types of questions customers ask.  This is confirmed by Gartner research which found that over half of respondents use open source software as part of their IT strategy.  Yet, Gartner also found that most organizations have yet to adopt an open source policy or governance framework.  Perhaps 2012 will be the year of responsibility and action.

What 2011 events concerning open source legal issues and license compliance were notable to you?  More importantly, how will navigate 2012 in this regard?

Is your company aware of or involved with SPDX?  If you are not yet familiar with SPDX, learn more at, or better yet, join general mailing list or participate on one of the three teams - legal, technical, or business.

Is someone in your legal department staying abreast of legal developments related to open source software?  If not, make it a New Year's resolution to check in with various FOSS blogs and news sites on occasion.  I'd recommend Groklaw, FSFE's news page, Heather Meeker's Copyleft Currents blog, and .

Where on the denial-acceptance-responsibility open source software continuum is your company?  If you are still struggling to accept your addiction, perhaps educating yourself on open source audits is the place to start. If you have embraced your open source software dependence, but have yet to create an open source policy, then check out our Open Source Policy Builder.

Subscribe to The Enterprise Open Source Blog via email

View Jilayne  Lovejoy's LinkedIn profileView Jilayne Lovejoy's profile

This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.

This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.


Currently, there are no comments. Be the first to post one!
Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics

Enterprise OSS Blog Policy

If you read a post on The Enterprise OSS Blog, please leave a comment. Let us know what you think, even if it's just a few words. Comments do not require approval, but they are moderated.OpenLogic reserves the right to remove any comments it deems inappropriate.


Contact Us

Browse by Tag