Large companies typically don’t have any idea how much Open Source software they have running on their various systems. This can pose a management and legal problem, so HP has developed software, called FOSSology and FOSSBazaar to help track down errant OSS installs. A Techtarget article notes, “HP gave an example of a recent customer that had three times as many FOSS licenses as originally estimated — 75 licenses rather than 25. This left customers with a choice: implement governance policies to allow the safe use of FOSS, or replace the software at an estimated cost of $80 million.”
What a useless product. Why would using OSS pose management and legal problems? Sounds like FUD to me.
OSS/copyleft projects can be very talented at hiding their licenses in obscure places. Additionally, there’s currently no law requiring that open-source projects identify themselves as such in marketing and during installation so the user can opt out, so many people use open-source programs unknowingly.
So, this is a great solution to the “issues” you have raised.
There’s no law requiring closed source software to indentify themselves as such in marketing and during installation so many people use closed source programs unknowingly.
“What a useless product. Why would using OSS pose management and legal problems? Sounds like FUD to me.”
In general there would be none. The one time it could pose a risk is if you are a software development house. That can cause legal problems if a developer uses the GPL versions of the files versus the paid for ones, such as with QT. That is the management/legal problem. Mainly because if the prodct can not be GPL for whatever reason, such as being a DoD project or such.
Well, the FSF is taking an aggressive stance now with pursuing legal action against GPL violators.
Steve Ballmer is beating a tin drum about OSS projects violating MS IP.
Sun themselves are in a two-way lawsuit over patent violations in ZFS.
Trend Micro is barking patent claims against ClamAV, which is integrated into a surprising number of commercial enterprise-class security applications/products.
Linux kernel devs like Grek KH claim that closed drivers such as nvidia’s are GPL violating, whereas Linus himself disagrees.
Qt respects a multitude of OSS licensing options but requires a commercial license for any applications that don’t meet those OSS requirements.
The list goes on…
It’s one thing to argue semantics on a tech-oriented forum such as OSAlert. It’s completely different to argue them with compliance-regulated commercial organizations that risk liability for license violations.
This isn’t a bad thing HP is doing, so let’s take the tinfoil hats off for a second and stop assuming that they’re somehow trying to undermine OSS adoption, particularly considering they are a significant backer and contributor to OSS.
Commercial organizations operate under different priorities and requirements than your average tech enthusiast. Despite the growing adoption of OSS within enterprise class organizations, it’s still a scary concept for many CIO’s to try and navigate the requirements and obligations of various OSS licenses, particularly if they’re creating software applications around them. Sarbox also implies a requirement for due diligence when it comes to things like IP issues, so execs often discard alternatives in favor of the warm and comfy proprietary licenses they are familiar with, complete with legal indemnity.
If you’ve got a bone to pick, don’t blame HP. Blame MS for bringing up the issue of IP compliance to enterprises when it comes to OSS. Used appropriately, this is a tool for OSS-favorable CIO’s to get a measurable handle on how non-proprietary tech is being used within their organizations.
I see the glass as being half-full, but I imagine that there will be many that insist on seeing it half-empty.
Applies only to software developers who include GPL code in their own product which they then try to release as closed source and charge people for.
A lot of noise and no substance. Not one actual mention to date of an alleged infringement of an actual patent number from Steve.
Has nothing to do with Sun’s use of FOSS. ZFS is Sun’s own product.
These claims are not against ClamAV itself, but rather are against the manner in which one company has used an anti-virus scanner (any one at all would qualify here) in a firewall product. Lots of prior art would indicate this action doesn’t have a prayer anyway.
Which one of these is a copyright lawyer? As long as nvidia binaries contain no FOSS code itself, and do not statically link to GPL code (LGPL doesn’t matter), then it does not infringe. This is in fact the case AFAIK, so Linus is correct it would seem.
Like any software at all, if you want to include it in your closed-source product, then you must get permission from the author. The GPL does not give you permission to do that, so you must get a separate license from trolltech. This is no different WHATEVER code you use in your closed-source product … if you did not write it yourself, you must get permission from the author. That would normally involve paying a FEE. This also has nothing to do with FOSS … this is use in a commercial product.
Edited 2008-01-30 06:22 UTC
NO the FSF will pursu all GPL violation. The thing is most of them comply as soon a sthe FSF show up since it’s a legal and recognised license tested in court.
Microsoft is sending it’s satellite company to do this job as to not appear as the bad wolf with the antitrust regulation they are under in the US. Problem ( for them ) is everyone they send is striked down in court.
Neither but Linus is known to make illegal and costly legal mistake.
– GPL is the second license of the Linux kernel.
– Trademark is not elgal and recognized worldwide beacuse of him.
– Lots of OSS code he included turned out have to be removed.
No , Linus just don’t know what he is talking about as usual when he goes out of the kernel coding. There is a serious graphic driver problem due to them being mostly OSS , Lot of incompatibilities with upgrade is due to slow fix coming from the proprietary graphice drivers.
There are 6 month to a year gap on the higher end graphic driver cards release.
“the FSF is taking an aggressive stance now with pursuing legal action against GPL violators.”
Nothing new here , at all , the FSF as won every single case of GPL violation it pursued. Mostly by having the thieve comply before going to court.
The problem is that not all OSS certified code and Free
software licensed code is legal and equal.
GNU/Linux and Free Software is legal and come with patent legality assured and protected.
Where as say BSD is Illegal come with no patent legality and is not insured or reviewed for removal of infringing code. They are not even covered by OIN and are infringing on most of OIN patents ( pretty much almost all patent outside Microsoft ).
Most of BSD and OSS is illegal and raise flag about there provenance and sustainability in court , unlike GNU/Linux and real Free Software it as not been proven as legal.
Lots of Management are paid or convinced to remove FOSS for Proprieatry solution , they just don’t know the real cost of there decision.
HP is trying to be legal here and a lot of OSS is illegal , not to be compared to GNU/Linux and Free Software who is always legal and most OSS need to be removed completely as it is a liability for company.
“…to help companies address the potential legal, financial and security risks involved in the
adoption of free and open source software.”
Right.
I don’t think anyone will quibble about security risks running unknown copies of open source; if it’s unknown, it is likely not going to be upgraded when security flaws are discovered and fixed.
As for financial and legal risks, there are, in fact, legally encumbered binaries (at least in some jurisdictions) which cannot be copied under the license terms. While this can be overcome by building equivalent binaries from the source (which does require some work), not doing so could result in risks, however small in practice.
While unknown copies of proprietary programs are, by contrast, not subject to these issues.
Edited 2008-01-30 01:40 UTC
Please explain how this is different from running unknown software that isn’t open source.
In general, there is no difference. However, in server environments (which this software is geared toward), nearly all closed source software is commercial, and generally requires such things as licence information and root access to install, not to mention a commercial agreement prior to receiving the software.
In contrast, open source can generally be installed without such restrictions, making it far easier to overlook.
Open source code does not need “looking over”. You are granted permission to install it and run it without any commercial agreement in place. Since you don’t need any commercial agreements to install it and run it, what exactly is the point of trying to keep track of commercial agreement papers which don’t exist and aren’t required?
You missed the original context of my initial reply; the problem is that if the software is untracked entirely, the software may not be upgraded to pick up fixes for security flaws that are discovered. These known but unfixed flaws pose a risk to the company using the software, especially on servers which are accessed or updated by multiple people.
While being easier to obtain, install, and run is one of the advantages of Open Source, there is a corresponding disadvantage that it is so easy that it can be done with little thought. That in turn makes it easy to overlook the need to install security updates.
Business people try to pinch a dollar out of you no matter what you are doing.
If you don’t know what you have installed on your systems, ask your system administrators to keep updated documentation on how your network is set up and evolves. Make it part of their job evaluation.
HP has released this as GPL. Although I can’t seem to find an application for it within my company, HP is not charging for the ability to use it.
as far as we can see. They want licenses to be sold.
HP-UX is pretty arcane, incomplete, runs on hardware that isn’t avalable anymore (PA-RISC) and now they bet in Itanium. Even a DVD set will cost you list price $800 or so.
HP has a hard time and they try to compensate..
“There is a significant benefit for enterprises to understand how much of this software they have and be able to manage it. Companies are running huge risks — financial and otherwise — by not knowing what open source software they’re using and therefore not knowing what license obligations and security violations come along with it,” Martino said.
That was the only explanation in the article. I tried to play devil’s advocate and come up with some legally compromising scenarios of my own, but I honestly couldn’t.
If anyone is curious, you can download the tool here: http://www.fossology.org/. It’s GPL, somewhat ironically.
Ed: it appears to scan local files for text in 30 types of OSS licenses (\agents\foss_license_agent\Licenses\Raw\) and store the results in an sql-based “fossrepo.”
Edited 2008-01-29 22:19 UTC
75 FOSS licenses? Really? I assume this does not refer to having software under 75 different OSI-approved license terms in their organization, but rather to having 75 devices running on FOSS software under licenses unknown.
Does HP mean to imply that not obtaining (read: paying for) licenses for FOSS software is somehow illegal or against government policy? I find this somewhere between comical and disingenuous. Is it unsafe to use unpaid-for software, even if that is in compliance with its license?
I understand that some organizations might like to know how much unapproved FOSS software has crept in to their infrastructure, purely for informational and planning purposes, but to advertise this service in a way that suggests that they are ferreting out illicit or illegal installations and making people pay for them is… unpleasant.
“I assume this does not refer to having software under 75 different OSI-approved license terms in their organization”
No , because most OSS license are not aproved or recognised or identified by the OSI. Also the OSI does not certify the legality or integrity in the face of the law of the license used. just that it meet some of it’s basic Open Source criteria.
Example : Heckler & Koch G36 ( a military class assault rifle ) is certified ISO , that’s a method of production , the ISO cannot come in court and testify that the G36 is legal and useable as a hunter riffle in CANADA because it’s certified ISO.
Now it may come to you as a shock but in some country many OSS license are declared illegal , BSD being one , because they figure the text is incomplete and that it’s not really a license but a contract or protection clause.
It’s a lie by the BSD that all OSS code is equal and that all are legal.
BSD is not part of OIN for a reason.
Sorry to burst your bubble Moulinef, but it is not at all illegal to write software (as long as you actually write it yourself and refrain from copying someone else’s work), nor is it in any way illegal to let someone else run the software you have written. As long as you have written the software, then the law is such that you the author gets to say how others may, or may not, use it.
There is nothing “illegal” about FOSS software.
“Moulinef”
M o u l i n n e u f , use copy paste if you can’t write my real life name properly.
“it is not at all illegal to write software”
It is when your not legally given the permission to do it.
“There is nothing “illegal” about FOSS software”
I agree.
The problem is with some “OSS” software.
You seem to mix Open Source Software with Free Software as if both are all the time the same and equal all the time.
as for living in a bubble :
hal twokone aka hal 2001 :
http://www.google.com/search?client=opera&rls=en&q=hal+2001&sourcei…
…
Sigh! You really do have a major, major disconnect from reality here.
It is not illegal to write code. You just sit down and type it. As long as it is your own work, no-one can stop you. You do NOT need permission, from anyone.
Once you have written your own work, your very own piece of code … you are then the author of it. You automatically own the copyrights to it. Not the US government, not Microsoft, not your local pastor … nobody but you.
As the copyright owner in the code, you may license it however you wish. You set the terms by which others may use it and copy it.
Once again, and with emphasis … you DO NOT NEED ANYONE’S PERMISSION to write your own code.
http://en.wikipedia.org/wiki/Freedom_of_speech
http://en.wikipedia.org/wiki/Copyright
http://en.wikipedia.org/wiki/Free_content
Since the creator of a work has control rights over that work, they can choose to do this with it if they so please:
http://en.wikipedia.org/wiki/Free_software
PS: sorry about the mis-spelling of Moulinneuf. That was lazy of me.
Edited 2008-01-31 11:23 UTC
OK … That’s your point. But it as nothing to do with what I said.
copyright ownership on the derivative is what’s the problem.
I wonder if they make one for Windows and Proprietary software? I mean I have always wondered how any body could determine that a Binary only distributed applications could be checked.
Edited 2008-01-30 00:04 UTC
Wow. Welcome to the land of bullshit.
Seriously, that sentence makes no sense. Did they have software licensed under 75 different OSS licenses? Did they have 75 users of some OSS software that is per-seat licensed? Or something else entirely? What governance policies?
Other than how it’s licensed it’s no different.
What? Embedded in the hardware? Why the fsck would that matter? If it’s embedded it comes with the damn product. Why does it matter if a hardware device is using OSS or not?
I doubt “users” know how much software they have, regardless of license.
Wow really. No price eh? There’s a surprise for ya.
You know, if they had said that it helped you find unknown OSS software so you could keep track of it and keep it updated that would have been one thing but this, this is just bullshit,
Edited 2008-01-30 03:28 UTC
FTA:
If it really is FOSS, then it is absolutely free to “use” (that is, to run). Free as in freedom AND free as in beer. It says so right in the license.
The only restriction comes when you are a software developer yourself, and only then if the code that you produce actually includes FOSS source code within it, and only then if it is licensed under a copyleft FOSS license (such as the GPL) rather than a permissive FOSS license (such as BSD), and only then if your product itself is closed-source.
So are HP trying to claim that their customer was a developer who had released 75 closed-source applications which included copyleft FOSS source code, when they thought they had made only 25 applications?
HP’s customer needs to buy $80 million dollars worth of free software? Is that a silly claim or what? HP are sounding utterly stupid with this press release. Either stupid or ignorant of what the licenses actually say.
If I were a non-developer customer of HP’s and HP tried to scare me into buying a HP product with FUD like that, I would drop HP like a ton of hot bricks.
Even if I were a software developer, I’d take HP’s press release to mean that HP thought that I didn’t know what I was doing … and still I would drop HP like a ton of hot bricks.
And realized that it was like to ultimate flame-bait generator …
Psst … are you gonna let them use your code like that?
What are you talking about?
Well something tells me that Abiword might be using your BSD licensed code and the calling the whole thing GPL
Yeah you’re right
I’m not saying you have to do something, I’m just saying
No your right !!