How risky is open source?

Even as its adoption in the enterprise has exploded, open source software remains dogged by questions regarding its legal status. Most recently, Microsoft has claimed that open source violates no fewer than 235 software patents.

Such pronouncements have contributed to an atmosphere of presumed risk regarding open source, and debate over the terms and enforceability of open source licenses and the role of patents in software development has only added fuel to the fire.

"We have heard repeatedly from customers that IP [intellectual property] assurance is a major factor in a company's decision to purchase technology," says Susan Hauser, Microsoft's general manager of strategic partnerships and licensing. "Unfortunately, we live in a world where disputes over intellectual property can result in a lawsuit."

This may indeed be true, but it is true for any software deployment, not just open source ones. Today, commercial open source is a mature industry, and leading vendors balk at the suggestion that their products are inherently riskier than proprietary equivalents.

"We've never had an actual reporting of an IP infringement issue," says Zack Urlocker, executive vice president of products at open source database vendor MySQL, adding that very few MySQL customers even broach the topic in sales negotiations. "It's not zero, and for the people where it does come up, it is important. But the vast majority of deals we close, the issue just doesn't come up."

Certainly, proprietary software vendors such as Microsoft have a vested interest in playing up the risk associated with open source. After all, open source software has become one of the more important resources for IT professionals, threatening proprietary vendors' market share. But although copyrights, trademarks, and patents do merit consideration, these issues shouldn't be overstated. Rather, an accurate understanding of the relationship between open source code and intellectual property can help IT practitioners become better advocates for open source within their organizations.

Who owns the code?

The idea that open source code could infringe on intellectual property rose to prominence in 2003 when The SCO Group asserted that the Linux kernel unlawfully incorporated SCO-copyrighted code. Indeed, the majority of IP issues surrounding open source involve copyrights, as it is copyright law that gives open source licenses their teeth.

Because the open source model avows open, collaborative development, open source projects are, for the most part, the work of numerous authors. As such, many commercial open source vendors do not in fact "own" the products they sell. Instead, they are merely distributing the software under a license extended to them by the original creators of the underlying code.

Collaborative development and distribution is considered one of the great strengths of open source, but it can also lead to problems. In rare cases, an individual contributor to a project might re-release portions of code under an incompatible license, or even contribute code that infringes on another's copyright. If portions of code must be removed, the business value the product delivers to the customer could be diminished.

To minimize this risk, some open source projects such as MySQL require all contributors to assign copyright of their code to a central organization. The industry, however, is divided as to whether such a policy really guarantees customers greater protection.

But what's important to note is that open source projects are by no means alone in incorporating code from multiple parties. According to Greg Jones, associate general counsel for commercial Linux vendor Novell, "The degree to which the third parties own the code in your offering changes, but the concept of having third-party code that may be fundamental to your offering is common to both major proprietary software products and open source software products."

In general, copyright infringement poses very little risk for software end-users. The issue is slightly more complex for customers who wish to incorporate open source code into their own software. Even in these cases, however, guidance and support from an established open source vendor can help mitigate these risks and ensure disputes can be remedied quickly and without financial consequences for the customer.