Open Source Insurance May Call All Code into Question
March 29, 2004 Timothy Prickett Morgan
The hardest thing for proponents of the open source programming model to fathom is that the lawsuits between The SCO Group and IBM are only the beginning. Any company with a vested interest in supporting the proprietary software licensing model, which, arguably, has defined the software industry for decades, is going to attack open source on patent, copyright, and intellectual property grounds. Open Source Risk Management wants to prepare customers for this eventuality and to cushion the economic and legal blows that open source users might face in coming years.
Vendors have been unwilling to offer wholesale indemnification to open source programs that they distribute or support. While Open Source Development Labs–the consortium that steers the development of the Linux kernel–has put up money for a legal defense fund (backed by IBM, Novell, and others), and Hewlett-Packard and Red Hat have offered their own very tightly constrained indemnities for Linux, this is not enough. What the open source community, which includes both Linux and Unix customers, as well as customers on other platforms, has needed from day one is a way to verify that no stolen code, which may be covered by copyright or patents, ends up in any part of any open source program. The open source community started with the Unix movement more than three decades ago, and it has relied on the simple principle of honesty to assert this in the past. And being open, the code is subject to verification. This is one of the things that actually makes open source better than closed source: we can check the code and see if someone has borrowed things that they should not have.
It is ironic, of course, that the biggest proponents of proprietary software–the vendors with their own operating systems and middleware stacks, and you know them all by name so I am not going to bother rattling them off–would probably cringe if they were forced to the same level of code scanning as will become common in the open source community. Heaven only knows how many “ideas” have been borrowed or how many derivatives have been created that might nonetheless break the complex rules of copyrights, patents, and intellectual property as it relates to software. People who want to sell software in glass houses should be very careful about the stones they throw around. All kinds of panes could get broken. Now that I think about it, to be fair, all current and past proprietary programs should be put through such code checking, just as open source programs should be. What is good for the penguin is good for all the OS/400, Unix, Windows, and other proprietary geese that lay golden eggs. It is interesting to note that the OS/400 operating system and most, if not all, of IBM’s related systems programs are closed source, but that the AS/400 and iSeries community has a history of providing customers with source code for application software. Geac caused a bit of a firestorm two years ago, when it decided to take its System21 application back as closed source after acquiring JBA.
OSRM, which was formally announced last week, is taking the first step toward providing third party code scanning for open source programs to look for any potential legal issues. The company has developed what it calls the VSearch risk assessment algorithms that can look at a stack of open source programs that any company is using and tell them point blank what kinds of legal vulnerabilities there might be in the code and then outline an economic plan that helps them mitigate against these risks. In a sense, OSRM is building the actuarial tables that describe the risks of using open source software. This is a great service, and it is a starting point for other companies to actually provide insurance.
New York-based OSRM says that it plans to offer an “insurance-like” indemnification package, and says further that it reckons that insuring companies against potential legal problems as they use open source programs is a $1-billion business. Now that it is doing the assessments, it could turn out that insurers and re-insurers create a pool that offers real insurance. But more importantly, OSRM is offering specific indemnifications for modified open source programs. Just like an IBM, a Microsoft, or an Oracle will warranty and indemnify its customers for the exact programs that they use as manufactured by their programmers, OSRM will look at your exact code–which can be lightly or heavily customized open source–and then provide assessments and indemnifications based on your specific configurations. This is a powerful offering, and the fact that Pamela Jones–the driving force behind the Groklaw site, which has been tracking all the legal shenanigans in the Unix and Linux bases since May 2003 and which started the Unix Timeline Project in February 2004 to map out all the pieces of code that were created for some 30 different variants of Unix in the past three decades–has joined OSRM means it is credible and serious. This timeline is going to be a critical piece of evidence in the continuing lawsuits. In fact, it may even spawn some more suits if people start checking source more carefully. In as much as OS/400 includes an AIX runtime environment and the future Power5-based Squadron servers will support AIX and Linux beside OS/400, what happens to Unix affects OS/400 shops.
By the way, Black Duck Software, which was founded at the end of 2003, offers an eponymous tool that can detect proprietary and open source code in your own solution stack and tell programmers and managers the potential intellectual property risks they face as they mix such code. If you use an open source program as part of your application, Black Duck will, for example, tell you if your licensing terms to your customers violates the GNU General Public License.
The big question in all of this, of course, is what the risk assessment and indemnification/insurance will all cost. While freedom is a great thing, particularly when it comes to creating software, if the hassle and cost is too high, companies will take the past of least resistance and cost. That much we can be sure of.