How important is software compliance?

Are developers actually chasing down license violations?

With one open source monitoring vendor is repeating calls that nearly 71 percent of open source mobile apps are out of license compliance, the question of what actual priority free and open source license compliance gets continues to elude the community.

The mystery of compliance priority is a weird one to solve. On the one hand, it seems like a no-brainer. If I am a developer, then it seems pretty reasonable assumption that if I find out that someone is out of compliance with my works, then it would be in my best interests to suss out what's going on, and take appropriate action.

Yet when I read figures from OpenLogic touting that according to their survey of apps on the iOS and Android platforms, 71 percent of those apps that actually had open source were found to be out of compliance with open source licenses, I have to wonder if anyone really gives a damn about compliance anymore.

Granted, these OpenLogic figures aren't exactly new: they are part of a recap of their 2011 surveys and announcements compiled for a new report they recently released "Predictions and Trends for Open Source in the Enterprise."

I spoke to OpenLogic Rod Cope last week to find out more about this presentation and where the data came from. This particular license compliance data came from OpenLogic's OSS Deep Discovery scanner, which scanned 635 mobile apps to find open source code. Sixty-eight apps were actually found to have free or open source code (52 apps with the Apache Software License and 16 with either the GPL or LGPL), of those

"…the compliance rate was only 29%. Android compliance was 27% and iPhone/iOS compliance was 32%. Overall compliance of Android applications using the GPL/LGPL was 0%."

Again, this is not new information: OpenLogic released this information back on March 8… of 2011. So, it's a year old, and honestly, there didn't seem to be a lot of hue and cry about this back then, either.

It's clear that OpenLogic is pushing their survey data again to get some mojo going for their support and compliance services, so it's a sure bet they're going to be emphasizing the importance of compliance.

Similarly, the Linux Foundation, which has it's own compliance education program, would be expected to stress compliance as a priority.

But, over and over, I keep hearing that in terms of license compliance enforcement, there isn't a lot of activity these days. There are only three known FLOSS organizations that take on compliance issues:

I completely understand that the process of current litigation and negotiations are usually kept under wraps, to protect the interests of all parties concerned. So, I know that there could be a lot of activity going on behind that scenes about which you and I are completely unaware.

Looking at the press archives of these organizations, though, tells an interesting story.

The last significant litigation news from the Software Freedom Law Center, for instance, was a 2010 press release about a motion they had filed against Westinghouse in the 2009 BusyBox lawsuit against that company and 13 others.

The FSF filed one brief in 2010: an objection to the Google Book Search settlement, and I could not find any news on litigation or settlements about compliance since then.

This could be a dumb way to find out about compliance activity: the Software Freedom Conservancy has no archived news on compliance issues, and I know Bradley Kuhn is managing compliance complaints over there.

Still, there isn't a lot of perceived activity about software compliance, and I wonder if that's causing some harm to the FLOSS ecosystem. If compliance isn't being seen as a high priority, it may be self-perpetuating the notion that compliance isn't a high priority.

Complicating this is the fact that the organizations that are telling us that compliance is important all have vested interests in making compliance important. OpenLogic, Black Duck Software, and aforementioned Linux and FLOSS organizations each have a stake in pushing compliance, albeit for different reasons.

That's not to say these entities have something nefarious going on. But they are not the developers who ultimately have to decide whether they pursue compliance, so we have to take all of their data with a grain of salt.

Here's what I hear all of the time: compliance is a problem, but few developers have the time, energy, or money to chase down all of the violations of their licensed software. Developers are not lawyers, and even if they could track down non-compliance, they may not know how or even want to pursue the violations.

Granted, it's my anecdotal evidence versus the evidence collected by surveys and the actual (but somewhat quiet) experience of organizations pursuing compliance. But in this case, I get the sense my anecdotal evidence may show a clearer picture of the prioritization of compliance than all this other data.

Read more of Brian Proffitt's Zettatag and Open for Discussion blogs and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Free Course: JavaScript: The Good Parts
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies