Open Sources | Rodrigues & Urlocker » Open source risky? Nah. Just if you hire an attorney who doesn't grok it

August 31, 2006 | Comments: (0)

Open source risky? Nah. Just if you hire an attorney who doesn't grok it

TAGS: Open Source

I came across this opinion piece by Paul Barton, an attorney at Field Fisher Waterhouse LLP today. I wish he would have attended the Open Source Business Conference before writing his piece. (OSBC includes, among other things, two full days of legal education on open source.) He could have saved himself the embarrassment of misinformation. (I won't call it malpractice. :-)

(Btw, I am an attorney. I don't play one on TV.) (Unfortunately.)

First off, Paul is clearly talking about "in the wild" open source, whereas most enterprise open source adoption is of commercial open source (Red Hat, MySQL, JBoss, etc. etc.). It's true that Red Hat doesn't own the code (or most of it, anyway) that it ships, but this is emphatically not true of virtually every other piece of commercial open source software. Alfresco has as much right to its software as Documentum does (to Documentum's software). JasperSoft has as much right to its software as Business Objects does (to Business Objects' software). MySQL has as much right to its software as Oracle does (to Oracle's software). Etc.

Any time you start talking about open source as "risky," you need to clearly define what you mean by "open source." This lack of definition leads Paul into trouble later, when he says

...[M]ost forms of OSS licences are structured in favour of the contributor rather than the licensee. There are usually no contractual commitments of quality or fitness for purpose. The licensee will have to bear the risk of any errors in the code, and since there are often many contributors at work, there are numerous opportunities for infringing code to be introduced. This may, in some cases, outweigh the time and cost advantages of using open source.

This is inaccurate on so many levels that I hardly know where to begin.

1. The licensee and the contributor are treated the same. Each has rights so that the other's rights are protected. Regardless, in commercial open source, this is a non-issue. Because JBoss owns its code, it can license JBoss Portal, for example, to a user under any license that it wants to. Regardless, Paul should check out a comparison of the GPL to Microsoft's EULA. The GPL doesn't hold a candle to Microsoft's restrictions on end users ("licensees").

2. Contractual commitments...Has Paul seen an Oracle/SAP/Vendor-of-your-Choice EULA recently? I'm unaware of any that say anything other than "This software will explode at any minute. Look out!!!!" Microsoft's XP EULA at least gives you 90 days when it will "substantially perform" to expectations...I guess the viruses hit on the 91st day. :-)

   At least the open source licenses have a good reason for not providing a warranty: you're getting the bits for free. Why should the code author warrant software (and assume the costs of legal liability) without payment? As Paul would discover if he tried to buy the software, warranties and other protections are forthcoming the minute he pulls out his checkbook.

3. "Numerous opportunities for infringing code to be introduced." I'd love to see Paul try. Go ahead, Paul. Infect Linux today. Submit code. We'll see how long it takes you (try at least two years of patient, solid work on the Linux project to actually get code committed).

   In the case of commercial open source, Paul would fare no better, because all incoming code must be assigned to the company/project with a guarantee that it's his code (and the same rigorous legal analysis to screen infringing code that any Oracle or Microsoft would use - in fact, it's often better).

In short, Paul, you need to define what kind of open source you're talking about: the kind that most people use (commercial open source with all the protections you mistakenly say aren't there) or the random, rogue open source virus factory that no one uses. Yes, I'm exaggerating, but no, the "risk" of open source is no greater, and is generally far less, than the risk of using proprietary software.

I thought everyone already knew this.

Posted by Matt Asay on August 31, 2006 11:07 AM

RATE THIS ARTICLE: