BURLINGAME, Calif.—As the issue of intellectual property and patent enforcement continues to gain traction in both the open-source and proprietary software industries, lawyers from open-source companies are clearly taking the issue seriously.
In a talk entitled "Reviewing the Use of Open Source Software in the Enterprise" at the OSDL Enterprise Linux Summit here on Monday, Karen Copenhaver, general counsel at Black Duck Software Inc., said that copyright infringement was a crime and in order to protect themselves and their customers from potential legal issues, enterprises using open-source software need to assess their code base, evaluate the processes that are in place and undertake remediation.
Companies then need to roll out a compliance program, establish a due diligence policy and implement automated end-auditable business controls, she said.
Black Duck, of Waltham, Mass., is an information services company offering IP risk management and mitigation solutions. Black Ducks ProtexIP development program provides companies with an extensive license and source code knowledge base that can be used to identify instances of open-source software and associated license conflicts.
Companies are already using ProtexIP in their open-source projects. Some, such as Testa, Hurwitz & Thibeault LLP, a leading Boston law firm, have found it useful in counseling its operating-company clients—as well as venture capitalists and institutional investors—on open-source issues.
Its also important to note that when an enterprise decides to assess its code base, the first investigation is the most important, and who conducts that investigation is also critical as the process needs to be managed to best get accurate information, Copenhaver said.
Companies also need to look at what steps they want to take to preserve attorney-client privilege when undertaking such an assessment so as to allow the information flow to be controlled and to limit the number of people involved in the investigation, she said.
"But once a company has decided to scan all its code, it should prioritize projects and not assess the entire code base at once. One project should be reviewed at a time and that review should be completed before the next review is started. They must also make a real resource commitment and must be prepared to follow this through to the end. Also, the number of people involved in the review should be limited," she said.
With regard to remediation, Copenhaver advocated "winning the right hearts and minds before charting a course of action. You should also avoid mandating a course of action advocated by lawyers alone," she said.
The most difficult issue companies face after such a code review is code that has been distributed to third parties and the question of what their obligations are to notify third parties, she said. But before doing that, they need to fully understand the way the third party uses and redistributes the code as well as the third partys obligation to install updates.
"A noisy withdrawal does not benefit anyone. Thorough preparation is extremely important and the focus going forward has to be on compliance," she said.
Companies also need to evaluate existing procedures, both the formal and informal ones, as well as identify opportunities to capitalize on good things and procedures that are already in place, Copenhaver said.
"Common approaches usually involve developers identifying open-source projects they would like to use, with someone like the general counsel then evaluating the appropriateness of that project for the company.
"But an ideal process really enables a company to embrace open source. It sets the proper tone for compliance and reduces the time and cost of development. It also identifies issues early in the development cycle, facilitates the efficient engagement of legal counsel in the review process and efficiently tracks compliance all the way through to product ship," she said.
Check out eWEEK.coms for the latest open-source news, reviews and analysis.