Risk Management and Open SourceBy Blane Warrene
One of the trickier parts of open source development is often when leveraging open source code and applications within commercial closed source solutions. Often the goal of the developers is to reduce the development lifecycle of an application by using proven open source components or applications already vetted by public use.
This may not be an issue for an internal-only private solution such as a private corporate intranet or extranet. Things can get sticky if this solution is shifted for distribution or sale to partners, clients or the public. Even more sticky if the completed solution is not intended to be distributed as open source.
Clarification: Having worked on a mixed-source project, when I note a solution that would incorporate open source but sell commercially as closed source, it is understood that this solution would adhere to the open source licenses for those components included and provide the source for those pieces with the application while not disclosing any code intended to remain proprietary.
Intellectual property (IP) management, risk management and code escrow have been around in some form for some time. These fields are in varying levels of maturity and often grow as court systems set precedent to be interpreted.
However, the legal system is expensive, and for firms seeking to reduce risk, a software maker has come to the table with a potential solution.
Black Duck Software announced on Monday the release of a new risk management tool for software developers. protexIP/Development is a software tool that integrates with development enviroments (including cvs-style repositories) and includes a knowledge base of open source licenses and can check against project parameters and code to find instances of conflict.
This is not an inexpensive tool, however, for anyone developing and distributing commercial web applications with open source components, well worth review. The cost is $2500 per seat annually.
Additionally, the firm hosts the protexIP/Registry, which offers developers the opportunity to submit a project profile securely to Black Duck, and once confirmed free of IP or other license conflicts, are listed in a registry reflecting their compliance. This can assist with client relations as well as with situations where insurance is being included in the sale or deployment of a web application. The cost for this service is $1000 per project.
While I am not endorsing these products, it is one of the first to marry together the worlds of commercial and open source software and shows just how prevalent the combination of the two are becoming in application development.