In my last post, I touched upon the idea that a little knowledge does not go a long way when it comes to effective open source software management and governance. At the crux of this statement is the need for education about open source software and licenses. I know, I know, you are yawning already; open source education? Yes, that's what I said. Whether your organization is a new start-up in the early phases of development or an established business with mature products, the starting point of getting a handle on the use of open source software must begin with a homogenous understanding of the relevant issues by the key players.
Let's walk through a hypothetical example. BasementApps is a start-up consisting of Geau, Jaq, and Krys, bright, young developers with a promising application concept. They pull together some money, including capital from a round of family and friends fundraising, and get to work. They run a frugal operation, working out of the basement of Jaq's rental and subsisting on rations of Ramen Noodles, Twizzlers, and Dr. Pepper. Like most developers of their generation, they are steeped in a steady diet of open source software. They are aware that there are open source licenses and have heard whispers of legal issues relating to open source software, but do not put much thought as to how this could have anything to do with their business.
Midway through development, Geau runs into an attorney friend outside a tea shop. They chat a bit about BasementApps and she tells him that they might want to track what open source software they are incorporating into their application and, even more importantly, what license applies. Geau nods, "yeah, we sort of know what's in there," he exaggerates. She explains some of the ramifications they may run into and a few pointers. "Really, Geau, don't ignore this. It will haunt you later," she says as she pedals away on a rustic, red Schwinn beach cruiser.
Back in the basement, Geau relays her words to the others. "Whatever, man, the code is free. People want us to use it. I mean, when I posted my Enigma project to GitHub, I didn't even bother filling out the license info," said Jaq1. "Yeah, &*@ing lawyers, they just want to make more work for themselves," Krys chimes in. After explaining that his lawyer friend is actually pretty cool (for a lawyer), Geau concedes, "What's the worst that could happen anyway?"
A few months later, the guys finish up a beta version and do a limited release. The reception is off the charts. Before they know it, a couple household name tech companies are sniffing around about an acquisition. Geau, Jaq, and Krys are ecstatic. Their friends and family have dollar signs in their eyes. MegaTech makes sizable initial offer.
Then come the lawyers and a due diligence checklist that is longer than Rapunzel's braid. One of the items requested is a bill of materials (BOM) for all third party code included in the app and licensing info, including any open source software. The guys know they have only used code they wrote themselves or code freely available via the web. But they have done nothing to track what they used or where they got it, let alone what the license was. A sinking feeling settles in the pit of Geau's stomach as his friend's words echo in his head. Jaq is pragmatic; "We can figure this out. There are only three of us. How hard can it be?"
They submit a list to the best of their knowledge that includes about 15 different open source projects under 7 different licenses. Finding the license info proves to be challenging in some cases; when they come up empty-handed, they figure there mustn't be a license at all and state that the code is "freely available in the public domain." MegaTech's attorneys are sceptical. They request a third-part audit be conducted on the codebase. The audit reveals 40 open source packages under 20 different licenses. Worse yet, most of the licenses they did identify were either incorrect or incomplete. This revelation causes MegaTech to want more information about all the aspects of BasementApps, as well as providing a bargaining chip.
The deal eventually goes through, but at half the amount of the original offer. Most obviously, Geau, Jaq, and Krys should have spent a little extra time tracking what open source software they used in BasementApp by implementing some kind of process for doing so. But would that have been enough? Even with tracking in place, figuring out the license is not always straight forward and licensing information can be difficult to find. Furthermore, the assumptions they made about a lack of license is exactly the opposite of the legal reality.
What Geau, Jaq, and Krys really needed was a crash course about open source software issues. This could come in the form of self-education; of course, that requires a certain amount of discipline, motivation, and time, which may be hard to come by for developers under deadline or excited about a promising new project. Alternatively, that education could come in the form of training by experts in the field. The issues aren't hard, but having someone who can boil it down to the key points may be a lot more efficient than filtering through the many, many variable resources found on the internet.
How do you think the cost of a half-day training course and some built-in tracking during the development process compares to the cost of the lesser offer BasementApps got for its acquisition?
This is a purely fictional account. Any resemblance to real people is merely coincidental.
1 For a tongue-in-cheek and ironic explanation of the result of this, see http://tieguy.org/blog/2012/12/03/licensing-confusion-is-great-for-lawyers/.
Follow @jilaynelovejoy View Jilayne Lovejoy's profile
Allowed tags: <a> link, <b> bold, <i> italics
If you read a post on The Enterprise OSS Blog, please leave a comment. Let us know what you think, even if it's just a few words. Comments do not require approval, but they are moderated.OpenLogic reserves the right to remove any comments it deems inappropriate.