CIO — Karen Copenhaver, a partner at law firm Choate, Hall & Stewart, tells a story about running a seminar for a large company. The goal of the seminar was to make it clear that software developers had a responsibility to abide by their company’s guidelines surrounding the use of open-source, free and other third-party code.
Copenhaver thought it went well. Then the development group’s manager came up to her and said, “You know, these fellows can’t get everything they need to get done every day and worry about all of this stuff.”
The manager’s words lie at the core of an issue that affects countless development departments around the globe today. Faced with shrunken budgets, tight deadlines, the fear of jobs being shipped off to the lowest bidder and expanding demands for ever-more-complicated software, programmers are tempted to grab bits, pieces and even large bites of code from various third-party sources in order to get things done more quickly.
The consequences of this (to be kind) borrowing can be anodyne; that is, no one ever notices the code, the product ships (either externally or internally), and life goes on. Or the consequences can be catastrophic. Dirty code, according to intellectual property lawyers, has led to expensive delays during many mergers and acquisitions. And thanks to the efforts of a single programmer—Linux kernel contributor Harald Welte—at least 100 companies have been forced either to remove or release as open-source various pieces of GPL code that they borrowed without properly complying with the license.
It doesn’t have to be this way. Companies can avoid problems resulting from the use of open-source code. Legal experts we spoke with offered numerous tips and tactics for maintaining the flexibility necessary to take advantage of this important tool in the software developer’s box while limiting the risk.
Assume You’ll Get Caught
Copy some code, change the variables, tweak the white space.... Who’ll ever know? Perhaps at one time there wasn’t much chance that anyone would identify code that had been illicitly lifted from someone else’s work. But times have changed. Source-code compliance tools from the likes of Black Duck and Palamida, which can scan millions of lines of code and compare them with huge databases of known software, allow companies to locate (and locate pretty quickly) previously created code—even if variable names and white space have been modified by the borrower.
Black Duck’s client list has grown more than 300 percent during the past year and now includes 11 Fortune 500/Global 500 companies. Its hosted code assessment service, ProtexIP/OnDemand, has been downloaded by hundreds of companies and has been used in more than 140 merger and acquisition due diligence transactions totaling an estimated $9 billion, according to the company. Searches for suspicious code are becoming de rigueur during the due diligence surrounding mergers and acquisitions. The culture surrounding open-source and free software has had an impact as well. Whistle-blowers have outed their employers over open-source code misuse. Some GPL violations have also been called to the attention of the world by interested users who notice suspiciously familiar behavior in commercial products. (For instance, network hardware maker Linksys, soon after its 2003 purchase by Cisco, was famously inspired to release the firmware to its WRT54G router when motivated users uncovered that pieces of the firmware were based on Linux.)
