McAfee Issues Warning Over 'Ambiguous' Open Source Licenses

Looks like the recent Software Freedom Law Center filings may have had some impact on how companies think. From a recent InformationWeek article:

McAfee frequently cautions other companies about the latest bugs and computer viruses, but the security software maker is now warning that its own business could be in jeopardy — not from some form of malware but from the fact that its products rely heavily on open source software.

In its recently published annual report, McAfee warned investors that the “ambiguous” license terms governing the open source software it uses “may result in unanticipated obligations regarding our products.

“To the extent that we use ‘open source’ software, we face risks,” McAfee warned.

McAfee said it’s particularly troubling that the legality of terms included in the GNU/General Public License — the most widely used open source license — have yet to be tested in court.

“Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software,” McAfee said in the report filed last month with the Securities and Exchange Commission.

Among other things, the GPL requires that manufacturers who in their products use software governed by the license distribute the software’s source code to end users or customers.

This seems like a bit of FUD to me, promulgated by a company worried about its business model. Keep in mind that it’s always an option to not use Open Source code. It seems to me that McAfee wants to enjoy all the benefits that comes with Open Source code, without giving back in any way. The fact that the GPL code is good enough that they want to use it should speak volumes. Just how long would it take them to rewrite all that code? What would the associated costs be? There is no free ride, nor should there be one. The fact is, if more secure operating systems that treat security as a first hand citizen (note, I am not just talking Linux here) become more prevalent, companies like McAfee are in big trouble. I find it interesting that some companies continue to insist that Open Source code and security are in opposition. It should be obvious why peer reviewed code would end up more secure as time goes on.


BusyBox Developers and Monsoon Multimedia Agree to Dismiss GPL Lawsuit

It’s great to see that the first U.S. GPL lawsuit filed has been settled with fairly little fanfare. From the press release:

The Software Freedom Law Center (SFLC) and Monsoon Multimedia today jointly announced that an agreement has been reached to dismiss the GPL enforcement lawsuit filed by SFLC on behalf of two principal developers of BusyBox.

BusyBox is a lightweight set of standard Unix utilities commonly used in embedded systems and is open source software licensed under the GNU General Public License (GPL) version 2. One of the conditions of the GPL is that re-distributors of BusyBox are required to ensure that each downstream recipient is provided access to the source code of the program. Monsoon Multimedia uses BusyBox in its HAVA TV place-shifting devices.

As a result of the plaintiffs agreeing to dismiss the lawsuit and reinstate Monsoon Multimedia’s rights to distribute BusyBox under the GPL, Monsoon Multimedia has agreed to appoint an Open Source Compliance Officer within its organization to monitor and ensure GPL compliance, to publish the source code for the version of BusyBox it previously distributed on its Web site, and to undertake substantial efforts to notify previous recipients of BusyBox from Monsoon Multimedia of their rights to the software under the GPL. The settlement also includes an undisclosed amount of financial consideration paid by Monsoon Multimedia to the plaintiffs.

“Although we really hated having to ask our attorneys to file a lawsuit to get Monsoon Multimedia to abide by the GPL, we are extremely pleased that they worked so hard and so fast to come into compliance,” said Rob Landley, a developer of BusyBox and a named plaintiff in the lawsuit.

The settlement did include a monetary piece, as the initial speculation indicated. As a whole, the outcome should serve to deter other companies from violating the GPL for fear of real damages being brought against them. Kudos to Monsoon for doing the right thing, but I’d still like to see the product they produce support Linux from a client perspective.


First U.S. GPL lawsuit filed

From Linux Watch:

For the first time in the U.S., a company and software vendor, Monsoon Multimedia, is being taken to court for a GPL violation. Previously, alleged GPL violations have all been settled by letters from the FSF (Free Software Foundation) or other open-source organizations, pointing out the violation.

The SFLC (Software Freedom Law Center) announced on Sept. 20 that it had just filed the first ever U.S. copyright infringement lawsuit based on a violation of the GNU General Public License (GPL) on behalf of its clients. The group’s clients are the two principal developers of BusyBox. BusyBox is a small-footprint application that implements a lightweight set of standard Unix utilities. It is commonly used in embedded systems, and is open-source software licensed under the GPL version 2.

The developers of BusyBox came to the SFLC after trying to talk Monsoon into honoring the conditions of the GPLv2. Unsuccessful with this, the SFLC has filed suit on the developers’ behalf against Monsoon.

As you can guess, this news has been swirling around the blogosphere. While it is the first lawsuit to be filed, it looks unlikely that it will go to trial. It is interesting to note that the complaint asks not just for injunction (which has always been the presumed remedy for GPL infringement) but for financial damages. That could make the settlement a bit trickier. At any rate, while I find the attitude of the company’s rep odd, it seems clear they want to set things straight. Why odd you ask? He says:

I’ll have to contact the engineering team and see what the expected scope (level of effort) is and then balance it against our other development tasks. And when I know I will let you know.

You cannot balance legal obligations with development tasks. Looking at the entire thread, I am going to give him the benefit of the doubt and say that he was still learning the GPL (and the repercussion of breaking it). How the company responds in the next couple of days should give a pretty clear indication of how this is going to unfold. Let’s hope they do the right thing.

On a side note, I find it odd (or better put… disheartening, but not surprising) how many devices take advantage of Linux and Open Source without actually supporting Linux or Open Source from a product perspective. The HAVA product looks quite nice, but not nice enough for me to get Microsoft Media Center or a Windows Mobile 5 device ;) A shame, really.