Further complicating the case was the origin of the code used by Actiontec: an unnamed Asian OEM that embedded it in the router's integrated circuits. Similarly, Cisco purchased parts from a vendor in China containing embedded code that should have been shared under the GPL -- but wasn't, says SFLC attorney Aaron Williamson. And that led to a suit filed late last year.
It's quite possible that the Asian vendors had never even heard of the GPL, much less thought about complying with it, he says. Still, the ultimate seller bears responsibility for the actions of its suppliers, and when education and persuasion fail, Williamson and his colleagues are prepared to sue for clients who step forward.
He figures that similar issues involving firmware are likely to arise. The Verizon case concluded with a favorable settlement for the developers last year, and Williamson says the Cisco lawsuit is close to a similar outcome.
The provision of the GPL that tripped up Verizon and Cisco is known as "copy left," which requires that users make changes public to code covered by the license. But you won't find that provision in Apache's licenses.
"We feel there are enough enticements without holding a gun to someone's head," says Apache Software Foundation president Justin Erenkrantz. The Apache license, he says, "is hard to violate because it basically says you can do whatever you want as long as you don't use our name." IBM, for example, can't claim its HTTP server is Apache, but it can note it is "powered or based" on Apache.
Why many enterprises are open source vampires
Given the forgiving terms of the license, it's not surprising that Apache doesn't have many problems with violations, but Erenkrantz goes further, praising Sun Microsystems, Hewlett-Packard, Yahoo, and even Google -- often labeled a freeloader -- for making significant contributions. He's not alone in letting Google off the hook. Matt Asay puts it this way: "A year ago I was a vocal critic of Google, but they've come around."
Asay, though, doesn't give everyone a pass. "Enterprise IT is the biggest consumer of open source software, and it gives almost nothing back to the community," he said in an interview. Particularly galling to him is the fact that the worst offenders generally aren't technology companies that might reasonably worry about giving away a competitive advantage, but mainstream enterprises that don't have such an excuse.
Why not comply? "I spoke at a CTO breakfast and asked that question," Asay recalls. "Some said it was hard to get approval from their company legal team, which worried about liability issues. Others simply didn't see the benefit."
No benefit? Open source projects -- and there are more than 100,000 on SourceForge alone -- may or may not use a license that "requires" a user to contribute back, but those who don't contribute back lose a key advantage of the model: collective support for new code. Companies that go it alone have to spend time and development money making fixes to "forks" that could be handled by others -- a powerful incentive to play by the rules.
Even so, the culture of collaboration, which is really the ideal of open source, doesn't run very deep in most companies. Institutions, as Woods pointed out, simply aren't wired that way -- yet.