Beginning in 2006, some customers of my previous company started inserting contract provisions requiring us to identify all open source software in use within the networking service we provided. As the VP of Engineering at the time, I told them that I stood behind the total service offering, regardless of which parts were open source, which were commercially licensed, and which were built by us, so they needn't be concerned about this. In each case they agreed and removed the provision. It is now clear to me that they should not have done so. Here's why.
Let's say that like most commercial companies, you use some open source. And let's say that like most companies you think you use a small number of open source projects. But investigation would show that you use five times as much as you think. (We quite often find this to be the case when our software is used with our customers' code.) Let's agree that if you don't know you are using a particular piece of software, it's pretty unlikely that you are meeting the terms of its license. If you don't know you are using a particular open source project, let's also agree that it's pretty unlikely you are picking up and applying all the security vulnerability patches for it.
From an ethical viewpoint, you would want to fix this. From a brand protection and customer retention standpoint you would want to fix this. From a legal and financial liability standpoint you would need to fix this. But you don't even know the problem is there. Then one day, some disgruntled employee, or some hacker, or some curious web crawling programmer with too much time on his hands notices your error. You get bad press. You get nasty communications from lawyers representing the open source code licensor whose license you have mistakenly violated. Depending on your industry, you might also get additional communications from regulators of one form or another. You spend staff time reacting to this crisis instead of doing the value-producing work you already had lined up for them. Customers and shareholders wonder about your business practices and their reliance upon you. You may even get a court injunction telling you to immediately stop using the code in question. What would that do to your online service? How much shipped product would you have to recall and replace? How will that affect your ability to conduct your business? If I am your customer, depending on you in the running of my own business, where does this leave me?
Companies should not only require vendors to disclose their use of open source. Companies should require vendors to provide a record of an independent third party investigation that allows them to assert a comprehensive level of knowledge of what open source they are using, as well as an audit of their compliance with the various licensing terms those projects impose. This kind of requirement from large enterprise customers, and from Sarbanes-Oxley type pressures for better self-governance has appeared on the horizon. Its pace will quicken. Will you be ready?
--Bennett Barouch
