In the early days of free software, the struggle was just to get companies to try this new and rather unconventional approach, without worrying too much about how that happened. That typically meant programs entering by the backdoor, surreptitiously installed by in-house engineers who understood the virtues of the stuff -- and that it was easier to ask for forgiveness after the event than for permission before.
Later, when free software become more widespread in the enterprise, the issue of license compliance gradually reared its head, particularly in terms of making code available and contributing back changes. At this time, it was still important to minimize barriers to using free software, rather than to police it in such a way as to frighten off potential supporters. But it was also critically important to confirm that the "copyleft" approach worked in legal terms and would be accepted by the courts.
This led to a very low-key, discreet approach, whereby defenders of the Gnu GPL -- because this was the main license involved -- tried to persuade companies to comply, without resorting to heavy-handed legal methods. That explains why there have been so few cases argued in court, and why those that have moved in that direction have all ended successfully for free software, as in the latest example.
As a result, it is now pretty much established and accepted that the Gnu GPL license is sound, and that there is very little point in trying to wriggle out of complying with it. That being the case, the emphasis is now shifting from slapping down the occasional willful noncompliance to making it as easy as possible to check for compliance, as evidenced by this major new initiative from the Linux Foundation:
As the use of Linux and other open source software has exploded in recent years, especially in mobile and consumer electronics products, the need has arisen for a trusted, neutral, noncommercial compliance program that offers a comprehensive offering of compliance training, tools, and services. To address that complexity, the Linux Foundation has developed a set of open source tools, training curricula, and a new self-administered assessment checklist that will allow companies to ensure compliance in a cost-effective and efficient manner. The Open Compliance Program also includes a new data exchange standard so companies and their suppliers can easily report software information in a standard way.
It comes with a very impressive roster of support, including most of the top computing companies (well, OK, two are conspicuous by their absence). Crucially, it is backed by the two organizations that have done most in the area of compliance until now: the Software Freedom Law Center and Harald Welte's GPL-Violations.org.
There are several points to note about this move.
First, the fact that the announcement explicitly mentions companies in the world of mobile and consumer electronics. That's partly because the uptake of free software has been very strong in these areas, since its virtues of zero cost, modularity, customisability, stability, and security are all key in these areas. But it is also a reflection of the fact that most compliance cases have been in these fields.
Of course, that doesn't mean the moves are of no interest to other business sectors: One of the great things about open source is that developments in one field spill over into others, taking their benefits with them. So all of the "open source tools, training curricula and a new self-administered assessment checklist" that are promised could be usefully applied by any company thinking to use open source tools in any way that goes beyond simply installing stuff and running it -- for example, by modifying code, or distributing it.
As Jim Zemlin, executive director of the Linux Foundation, writes in an accompanying blog post: "It will lower costs for every company who uses open source by giving training, a guidebook of best practices and access to resources to make it much simpler to comply with license obligations."
He also makes the following excellent point: "I also want to be very clear: Complying with open source licenses is actually easier than complying with proprietary ones. (One reason: There is no money involved.) There are countless software audits of users every year, and settlements often range in the tens of millions for large companies. You may not have heard about those cases since they do not get the attention the very few open source cases do, but make no mistake, complying with proprietary licenses is not easy or cheap."
That is, not only is compliance with open source easier than with proprietary products, it is now even easier, thanks to the new program.
An important part of this is a set of new tools. All of them, of course, are open source, so it will be interesting to see whether any new companies grow up around them:
- Dependency Checker Tool: Initiated by the Linux Foundation as an open source project, this tool identifies source code combinations at the dynamic and static link levels and provides a license policy framework that enables open source compliance officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool.
- Code Janitor Tool: Initiated by the Linux Foundation as an open source project, this Code Janitor tool provides linguistic review capabilities to make sure developers did not leave comments in the source code about future products, product code names, mention of competitors, and so on. The tool maintains a database of keywords that are scanned for in the source code files to ensure source code comments are sanitized and ready for public consumption.
- Bill of Material Difference Tool (BoM Diff): Initiated by the Linux Foundation as an open source project, the tool will be capable of reporting differences between bills of materials and therefore enable companies to identify changed source code components and to better report included open source component in updated product releases. The development on this tool will start in late 2010 and links to mailing list and Git repository will be made available then.
All three tools -- but especially the one that sanitizes your code -- reveal a deep and important truth about this latest move by the Linux Foundation: that they try to take all the fun out of free software. They are about removing the quirkiness and the riskiness that has characterized free software in business for the last decade and a half, and seek to replace it with nice, safe systems that senior management will instantly fall in love with. In a word, they seek to make open source boring for the enterprise. That's not only good news for companies, it's a really important step for the Linux Foundation.
I've been rather skeptical about what role the Linux Foundation should play in the open source ecosystem, and I've found its earlier moves have rather smacked of searching around for something to do there. But with its new Open Compliance Programme it has truly come into its own, offering an important, necessary, and dull set of tools that mark a kind of coming of age not just for enterprise open source, but for the Linux Foundation itself.