Stephen Shankland recently wrote an interesting blog regarding the GPL/Monsoon lawsuit. In the piece, he quotes James Harvey, an attorney with Hunton & Williams, as saying, "There still appear to be flaming examples of either indifference to or outright disregard for the GPL. I think those flaming examples will increasingly be called to order by somebody, whethe SFLC , a copyright holder or someone else in the open-source ecosystem."

Of all the content in the piece, I think this statement is actually the most important.

Every once in a while in early meetings with enterprises, we hear executives that say code management isn't on their priority list "right now" or that they "just don't have a need for that type of solution" or even, (and this is my personal favorite), "We already have tracking mechanisms in place," read: sticky notes, emails, and out-of-date Excel spreadsheets. In a brave new world where GPL enforcement is a reality, companies are taken to court, and we watch with interest, anything less than a thorough code inventory is really a slap in the face to open source in general.

What's interesting is that after a couple of discussions with their engineering teams, the same reluctant executives soon begin to realize that by not knowing what's in the code base, organizations are turning a blind eye to both license violations and open source vulnerabilities -- both of which can derail a potential profit-earning product faster than you can say "BusyBox." If, as Monsoon states in their response to the lawsuit, "We intend to and always intended to comply with all open-source software license requirements," then they likely would have had a full accounting of which open source projects were contained in their applications, which ones had license restrictions, and which ones they were not in compliance with. However, the suit itself paints a much different picture.

There have been a couple fascinating articles appearing over the past several weeks that call into question the necessity of code audits and/or the reality of actual issues associated with not knowing your code inventory. When presented with such articles, many influential analysts responded with dismay and head scratching. In response to an article questioning the value of code audits a prominent open source expert, said "clearly the journalists doesn't inhabit the same world as our clients when it comes to accountability, integrity, and risk mitigation." This opinion was echoed throughout the legal community as well, where the Enterprise General Counsel is extremely concerned with avoiding intellectual property violations introduced by the development process. 'If you build it, they will come,' takes on a new, more serious significance when talking about the SFLC.

When asked whether or not code audits are really necessary, it's very easy to point to innumerable real-life cases in which yes, a code audit was the most critical part of the exchange. The Monsoon case is but one of what I predict will be many more cases like it -- albeit defending various open source license terms -- that take a hard line stance against wanton misuse and/or willful ignorance.

Open source use should not be aligned with open source license abuse.

--Melisa LaBancz-Bleasdale