Slashdot Mirror
Submitting Corporate IP to Open Source Projects?
dannyp asks: "Does anyone have advice and/or references for working with a (very large and cautious) corporate legal department to establish a policy for submitting company-developed patches back to Open Source projects? I work at a large company outside of the technology sector (financial services). As we've succeeded in getting Open Source packages approved for use within the company, we're trying to figure out how to submit patches back to the community. We have to convince management that it makes sense to give this Intellectual Property away, and then (more difficult) convince Legal that we aren't going to get sued for doing it. Any advice?"
Out of curiosity, to the degree that people all talking about their own experiences and not just running their mouths:
Could you give some examples of what GPL products you've patched and (to the degree you can say) what the patches add or fix?
I'd like to get a sense of how much advantage users really get from having source available.
What I'm listening to now on Pandora...
If it is GPL'd software then point out to them that they could be sued if they do not release the patches.
That's completely untrue. You can use patches to GPL'd software internaly to an organization or personally without releasing code. You only need to release code if you plan on distributing the modified version.
Go read section 2 of the GPL carefully.
I don't intend this as a flame-- or FUD, for that matter-- but it almost sounds like you may have inadvertently pulled a bait-and-switch on your company.
You said, "we've succeeded in getting Open Source packages approved for use within the company," and this implies that you yourself-- as part of your group or whatever-- advocated the use of Open Source software inside your company. Did you make it extremely clear to the people to whom you were advocating that Free software is not entirely free?
What I mean is this: when you download GNU SurfWriter from an FTP site, you don't have to pay anybody. You get to use the software for no money. But there's an opportunity cost attached. In using the software, you give up the ability to redistribute it in binary-only form. You give up the ability to incorporate any part of it in a closed-source application. You give up a number of "rights" as part of the "cost" of GNU SurfWriter.
Put yourself in your boss's shoes for a minute. One of your employees came in last month and convinced you to use GNU SurfWriter. It's free, he said. You get the sources, he said, so you can modify it as you need. All good reasons.
Now, just a few short weeks later, that same employee comes in and tells you that you either should or must (depending on the circumstances) release your company's changes to GNU SurfWriter to the public. He never said anything about having to give away company IP when he argued for GNU SurfWriter last month! Bastard! Now you've got to explain this to your boss!
Net result: your boss, maybe your whole company, has a bad impression of the GPL specifically, and Open Source and free software in general.
I'm neither trying to advocate or deride the GPL in this post. I'm just pointing out that that particular license is definitely two-sided, and failure to be very clear about its limitations can be a bad thing. Without knowing it, you yourself may have spread FUD by not telling the whole story.
When I was hired by my current employer, my contract basically stated that anything I do on their time is theirs.
Things get even more complex, when my time is spent representing my company as a subcontractor to another company. During this time, who owns my work is spelled out in the contract between those companies.
Thus, the only real answer to your question is: you have to convince the people who set up your business contracts to include a clause spelling out your rights to submit patches to Open Source projects. However, none of the parties in that contract want to pay a lot of money for you to work up such patches, so it will probably be an up-hill battle for you.
Mainly, I have learned that large bureaucracies, such as those in large companies and governments, tend to stifle such initiatives. Also, you will find that no one in that bureaucracy will be willing to take on any risk for your sake.
Sometimes these bureaucracies are so mind-numbingly stupid that sometimes I just want to go live in the woods for a while and play chess with my squirrel friends. Yes, that would be much better.
Healthcare article at Kuro5hin
The QA part is a good seller. If you have only tested your stuff the way that you use it and someone else gets it they may test and use it differently. This helps you QA your stuff.
Only 'flamers' flame!
There are several things to consider before deciding that it would be wise to donate corporate IP back to an Open Source project. These particular decisions can usually be made either way without incurring the wrath of even the FSF:
... to your customers for
First factor:
Are your patches merely bugfixes, or are they
added functions?
If they are mere bugfixes, I can't see where
your management would object to releasing
them.
OTOH, if you have added new and significant
functionality to the program, you might want
to move on to consideration #2.
Second factor to consider:
In the case of new functionality, is there any
reason to distribute it outside your company?
If the modified program only has meaningful
application within the context of a company
similar to your employer do you think it
would be wise to give your work to the
competition?
OTOH, if it is something that you need to
distribute, say
their use, I would agree with the previous
poster who wrote that contributing your
patches back to the project might be necessary
to prevent a lawsuit.
As for protection from a lawsuit for having contributed your patches, I recommend you refer your corporate counsel to the language of the license that covers the package. The disclaimers in most OSS/FS licenses are much more protective of developers/contributors than even Microsoft's EULA is.
Just my US$0.02
utter rubbish
I highly doubt giving away your IP is somehow going to make you more profit than you lose.
We need software X to do function Y. It will take 50 man hours to complete at $50 per hour. Thes $2500.
However, release code, ask for feature, 2 weeks later function Y is in product X. Take code. Use Code.
Net gain $2500
Net loss $0
If your company doesn't release the patches, they will have to be reworked into new releases of the vanilla source tree.
However that doesn't mean everybody else will do your work for you. If there's a conflict between your code and someone else's, you might be expected to fix your code. But being in first gives you an advantage.
So, sell patch release as reducing the code maintenance overhead.
None of this from experience, just common sense and observation.
Yours Sincerely, Michael.
Fifthly, the poster specifically said that lawyers would need to be consulted before code could be released. Lawyers are at least as expensive as coders, so your "Net loss: $0" is certainly not accurate.
How about this scenario. The figures could go either way, but it's important to note which figures are one-time and which are recurring...
Releasing code:
- Lawyer time ($nnn, one-time)
- Programmer time to work with external maintainer to get patches accepted into the external source tree ($mmm, one-time, probably not a terribly large amount of time)
Keeping code internal:
- No lawyer time ($0)
- No up-front programmer time ($0)
- Programmer time to re-integrate local changes into new externally-released version of program ($ppp, recurring, and probably much larger than $mmm, at least).
Now, depending on the lawyer cost, a single upgrade might or might not work out cheaper if the code is kept internally. But eventually a recurring cost is guaranteed to come out greater than any one-time cost. This is even more true if the legal work can be done once to cover all future open source contributions, so that the lawyer cost can be split across multiple applications.
What a lot of managers don't realize is that maintaining a fork of a program's source code is expensive. As your codebase diverges from the external one, important bugfixes applied to the latter become harder and harder to apply to your local copy, taking more and more programmer time to keep up. Paying a little more up front in that situation is just good sense.
Programmer time to re-integrate local changes into new externally-released version of program ($ppp, recurring, and probably much larger than $mmm, at least).
That's actually an excellent point. If you're making changes to a moving target, and the maintainer seems agreeable to letting in your enhancements, then not only do you save money by not having to constantly merge, but you also get a less buggy product due to increased testing.
Yep, I overlooked that factor. Thanks for the insight.
Version 3 of the GNU General Public License supposedly will add verbiage to cover application service providers, though. Basically, the idea is if you take a GPL 3 application, patch it, and make its functionality publicly accessible, you're still liable for sharing the patches even though you haven't distributed the binary.
GPL 3 is still vaporware, so the details may change. But it is something to keep in mind, especially if you deploy a commercial site that's backed by GPL software. If that software moves to a GPL 3 license, things could get interesting. I hope not in a bad way.
(Before you all scream "FUD", keep in mind that I release all my own code under GPL 2. I can't say the same about the code I write at work, but then my employer owns that code, not me.)
--JoeProgram Intellivision!
Donating IP to an open source project gives you company visibility, good will, attracts programmers, invites enhancements from other users, and in many cases reduces your maintenance costs. That often beats letting the stuff sit in a drawer, where you derive exactly zero benefit for it, or even have to pay for continually patching it into open source software.
No, contributing code or ideas to open source projects isn't always a financial win, but it makes a lot of sense much more often than you suggest.
They only have to distribute the patches/sources if they distribute the binaries outside their organization. If it's for internal use, they can do whatever they want and keep it secret.
We found a code gen bug in gcc a long time ago on Sparc. We fixed it and submitted a patch. We could have, perhaps, worked around it, but we didn't need to since we had the gcc source.
Incidently, the gcc source is surprisingly easy to read. I've referred to it numerous times to see why something does what it does, what different command line options do, etc.