"The term `holistic' refers to my conviction that what we are concerned with here is the fundamental interconnectedness of all things....I see the solution to each problem as being detectable in the pattern and web of the whole. The connections between causes and effects are often more subtle and complex that we....might naturally suppose...."
Dirk Gently's Holistic Detective Agency by Douglas Adams
This article will set out a practical five stage approach to Open Source Software (OSS) legal issues for organizations that are working, or thinking of working, in this area. While OSS affords a plethora of legal challenges and ongoing developments that merit treatment, I will focus on a general framework for managing OSS legal issues. Since I will provide general legal information and not legal advice, I strongly encourage your organization to work with legal counsel with competency in the OSS area to address its specific circumstances.
Stage 1: Organizational Objectives
The first stage is to achieve clarity with respect to your organizational objectives around OSS. It is essential to start here since the set of clear objectives, which will vary from organization to organization, will be the key driver for each of the following stages.
While these objectives will often have a commercial dimension, the objective may sometimes be philosophical or political in nature. For example, a government organization may be attracted by the "green IT" opportunities of an open source thin client architecture or the competitiveness agenda possibilities of a local OSS ecosystem.On the commercial front, the objectives can vary widely. They can range from cost-avoidance, to liberation from proprietary solutions, to best-in-breed adoption in a mixed software environment of home grown, commercial, and open source software. In some cases, the organization may intend to create a business around OSS. This could be in the form of a service company focused on OSS support, a hosted services offering, or a dual-license play. In all cases, it is important to always question whether OSS provides the best support for the organizational objectives or whether another solution is more appropriate.
Stage 2: Selection
Where your organization has decided to proceed down the OSS path, the second stage is to decide on the OSS solution(s). In doing so, you will need to consider the pedigree of the code and assess any known risks arising from its use. You will also need to give very careful consideration to the OSS license terms with regard to the manner in which you intend to make use of the code. Whether the license is permissive or reciprocal in nature, whether the code will be used internally or for delivery of a hosted service, whether the code will be modified and distributed, and/or whether the code will have an association with proprietary code, will all impact your organization's potential obligations with respect to the code.
As an organization, you will also need to decide whether your OSS selection can be done on an ad hoc basis or whether it is better to put an appropriate approval body in place. In either case, it is essential to assemble a team with the requisite business, technical and legal skill sets needed for the selection process. In addition, you should formulate an OSS policy to guide your organization's selection process. It is prudent for this policy to also address voluntary contributions by your organization's employees to OSS projects.
Stage 3: Implementation
Once your organization has selected its OSS solution, it needs to proceed to the implementation stage. At this point, very careful consideration needs to be given to the architecture of your organization's offering. While this stage is tightly tied to, and often iterative with respect to, the selection stage, the analysis at this stage is more holistic having regard to the inter-relationship of all of the code components. Although this analysis may be fairly simple in some situations, it is often incredibly complex in a mixed software environment. In addition, architectural options may have profound impact on your organization's OSS obligations so a careful consideration at this stage will pay dividends down the road.
A central element of the implementation stage is a consideration of license interaction. Since almost all OSS and commercial software licenses come with certain conditions, requirements, and/or obligations, it is essential to fully understand the interplay of all of these elements having regard to the compatibility of the licenses. In some cases, it may be necessary to revisit the OSS selection stage, due to irresolvable conflict between the licenses for certain selected software components, before you will be able to finalize your organization's offering. License compatibility will be even more complex in the post GPLv3 world, given the wide range of compatibility customizations options that are now available under that license.
Stage 4: Compliance
Now that you have settled on your organization's offering, with its underlying OSS solution(s), you need to focus on compliance matters. In the first instance, you need to ensure that you are fully compliant with the obligations under the applicable OSS and commercial licenses. For most permissive OSS licenses, your only obligation will be the appropriate reproduction of the applicable OSS license notices.
The situation under reciprocal OSS licenses will be more complex. In cases where your organization will be distributing modified code, you will typically be required to make that code available in source code format. In situations where you will be using OSS code in modified form to provide a hosted service without distribution of the modified code, you will typically not be required, under most reciprocal licenses, to make the source code available. The release of source code would, however, be required in this hosted service scenario under the terms of the Affero license.
The compliance situation with respect to reciprocal OSS licenses is even more complex with respect to certain associations between software solutions. Under the terms of the GPL license, the licensee is required to release the source code for any work based on the program that is governed by the GPL license terms. This determination, driven by an analysis of derivative works principles under copyright law, is by its very nature extremely fact specific. Accordingly, it is essential for your organization to work closely with OSS business, technical, and legal experts to arrive at a well thought out position on this issue.
Stage 5: Audit
For those organizations that have completed the four prior stages, the audit stage is primarily focused on verifying compliance with the steps set out for each of the earlier stages. In particular, the focus of the audit is to ensure that the organization is in full compliance with its OSS obligations including the flow-through of OSS license terms and the release of any required source code.
This article has focused on a "green field" OSS program where the organization is starting from scratch and has no existing code base. In those instances, your organization will want to audit its legacy code base to identify any underlying OSS issues. Black Duck Software offers one of several existing commercial offerings that can assist an organization in conducting this code analysis. In addition, your organization may need to audit its supply chain with respect to OSS content in third party commercial offerings and take steps to ensure that appropriate controls and contractual provisions are put in place. In non "green field" cases, your organization will need to initially focus much of its effort on the audit and compliance stage before it will be able to transition to the cadence of the five stage approach.
Any organization that is using or considering the use of OSS needs to give careful consideration to each of the five stages set out in this article. Given that the overview of each stage is illustrative only, and not exhaustive, I encourage your organization to remain open to related legal issues that may either be variants of existing issues or new matters. While working through the "interconnectedness of all things" will no doubt bring its challenges, the five stage approach to OSS legal issues will provide your organization with a practical framework for the responsible use of OSS by allowing your organization to maximize its use of OSS while minimizing the associated legal risks.