Slashdot Mirror
Properly Contributing to Open Source While on Company Time?
egeorge asks: "I was wondering what kind of paperwork/policies developers have at their jobs concerning contribution to open source projects. I develop software at a company that derives almost its entire revenue from software. Some software is licensed to customers, some is run internally in a service model, but the software is our whole business. We have recently been doing more and more modification and customization of open source products, and we would love to give some of this back. As developers, though, some of us are a little hesitant to just start flinging code that technically still belongs to the company out into the world. We want to make sure we get clarification about what is or is not covered by our NDAs.
So, what kind of procedures do other developers have to go through to get adequate coverage for Open Source submissions? I would like to suggest a policy to my superiors, and could use a few good suggestions."
I'm a consultant, paid for my time and the IP I develop. I would not dare to risk cross-contamination by doing anything more than downloading and using open-source packages at the office.
It was a joke! When you give me that look it was a joke.
As I understand it, as far as the copyright law goes, if you create it at work on your companies' computer, the copyright belongs to them.
keep in mind the GPL allows for internal use of modified software without releasing the source code.
autopr0n is like, down and stuff.
The first question that needs clarification in my mind is - Is your company distributing open-source code that they have modified?
If that is the case - then if it is GPL'd code, you need to release it according to the license. If it is a BSDish license that isn't the case.
Probably the best piece of advice - get your company to emit a policy on the subject. You may not like the results, but at least it will be a definitive answer.
Have you compiled your kernel today??
I think Justin Frankel would tell you that you can't ever be sure that you have any creative control over what you are doing on company time.
The only ways to remain certain that you have complete control are to either work on your own or with a small group in a small company and then leave as soon as they get bought out by the big guys.
lysergically yours
Remember that open-source is not necessarily free-as-in-beer. Your company can charge for the source code and the binaries if it wants, it just needs to use an open-source license (insert heavily-compressed flamewar here).
Also you can make quite clear that you will only support YOUR version of the product and that if they choose to modify the source they're on their own.
If you're just talking about donating code snippets, well, then you need someone with more experience in that than I.
Zaphod B
When duplication is outlawed, only outlaws will have
Thats what I did when I was at SCO, anyway!
...How to run an ebay business selling your company's items
Not always. As an employee of the US Government, my work is not eligible for copyright protection in accordance with 17 USC 105.
Thus, the programs I've written and been allowed to distribute are available as public domain. You can check out my programs for computer forensics and system administration, foremost, and md5deep, on Sourceforge.
Ultimately, anything you've done on company time is owned by the company, and you have no rights to it whatsoever, NDA or no. Your contract may grant or revoke various rights, of course, where not prohibited by law. But I would definitely go in assuming that all that code belongs to the company and you have no right to distribute it without formal written permission.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
gets asked a lot around here. And the answer is always the same: Talk to your legal department. There isn't anything else you can do.
When we're modifying open source programs for use in our environment, we try to come up with two different types of patches; patches that enhance the package wether they be with new features or bug fixes, and patches that are only there to support local conventions and tools. We rarely submit the local patches back to the development team of the package, but if we feel that the enhancement types of patches will help out the project, we'll submit them back.
Donald Roeber
Generating 2048 Bits of Randomness...
Because you are doing it on their time, not your own.
This makes sense when you think about it from their risk-averse perspective: releasing even small pieces of otherwise-useless specialized code is all downside and no upside.
On the plus side you might might improve goodwill with a small number of open source developers. But on the minus side you might be exposing the company to liability, accidentally revealing sensitive information, or inadvertantly helping your competitors. Plus, management always has to worry about shareholders second-guessing them -- possibly resulting in a shareholder lawsuit -- if the IP you give away is later perceived to have been very valuable.
Given all this, a dangerous but more pragmatic idea might be to just go ahead and contribute at least the small stuff like your patches and bugfixes. As long as you have no official policy forbidding this you can point out that it's just the standard way things are done when working with open source tools.
Let me be clear that I am not actually advising anyone to do this. More just.. thinking aloud.
I'd never do something so dishonest as to develop OSS on company time. I just look at pr0n and DL some music on Kazaa ;-)
"Much work is lost, for the lack of a little more." -Edward H. Harriman
Lucky bastard....Her Majesty the Queen of England of all people holds the copyrights on MY code. :)
I'm posting AC for my own safety. I made changes to an open source package for my employer. Since the changes were for an internal package (we didn't release binaries to the public) I was told by my boss that submitting the changes to the package maintainer would be a violation of my NDA. I discovered after I left the company that my changes were eventually submitted to the package maintainer, and that my boss had taken credit for them.
The moral of the story: get the company policies in writing before you start making changes to an open source package.
Of course, defining the Right Thing will in the end be up to your managers, but influencing their opinion is important.
First off, do they realize what value they are already getting from open source, or was that snuck in the door? The former would make life easier (for everyone, since more PHBs will realize the value of OSS).
One thing you don't want to do is to sneak behind your boss' backs and contribute what is unarguably company IP back to OSS without their permission. This can cause headaches down the road that could have been avoided.
Setting criteria for contributing back to OSS that you are enhancing is much easier than releasing OSS in the first place (IMO), and, yes, I have worked for enlightened companies that blended both well. It all depends on what your company does (industry focus) and where it values its IP. Generally though, if you have just enhanced OSS, returning those enhancements should be a no-brainer (and required by some OSS licenses). Again, that is really a no-brainer only if management knew you were using OSS in the first place.
For major enhancements, try to value it from your company perspective. If you were (eg) a video codec software company and had just made changes to a BSD video codec that gets 10x compression improvement with no quality loss, is it really worth your while to release that back immediately? I know some will argue that all software must be free, but how many of them are gainfully employed based solely on the free software that they develop (read: I don't think the model for just selling support sustains itself). IOW this isn't intended to start religious wars, just to make you think about what IP really has value to your company, and what you should be more readily willing to share.
Completely new software that you might want to release under and OSS license is similar to the above. First off, if you company isn't OSS aware, make them. Then discuss what things you don't want to release for core IP reasons, and what is good to release.
Remember that just releasing code doesn't raise the jollies of most corporate types. It usually has to have a purpose, and company brand awareness is a large part of that. Making or enhancing OSS software can be very good guerilla marketing for a company. It's perhaps not the same as dot.bomb hype levels, but it still has value for brand awareness, recruiting, etc.
Vicarious liability, for one reason. Your employer (in most jurisdictions) is at least partly responsible for your actions whilst you are in their employ, and on their time. It hardly seems fair for them to be expected to assume liability without having the capacity to mitigate it, does it?
And all the disclaimers in the world won't help you if a case can be made for malicious code being deliberately released - your company would still be accountable.
--Ng
We want to make sure we get clarification about what is or is not covered by our NDAs
IANAL but here goes...
This one is kind of obvious to me, but an NDA is an Agreement between two or more companies that basically says 'I'll show you mine if you show me yours' and legally binds each party not to tell anyone else about it. I try to avoid these because I'm always paranoid that the other company will tell me something I'm already working on and later try to stake a claim on what's mine.
Simple answer to your question: Before you send ANY code into the public domain get your boss to sign off on EXACTLY what you are releasing. Otherwise, even if you get the OK you could be in hot water later if your boss backs out on you.
All your base are belong to us!
I would have thought the best approach is to suggest that you submit the patches so that you won't have to go through the pain of merging your changes in every time you want to get a new version of the software. If you phrase it as something that will help your productivity, I'd have thought they'd be much more likely to agree.
It's not that I am charging for my IP. It's that the terms of my contractual agreement dictate ownership of work I create during my paid business hours.
I personally do not have a moral or ethical quandary with opening up my development process, busting a hole in the firewall to allow CVS or at least SSH access, and making wholesale changes to open source projects on company time. I just don't want to be the subject of a 'Your Rights Online' story here.
It was a joke! When you give me that look it was a joke.
Do you work for Microsoft?
Alan Robertson, who maintains the heartbeat package and works for IBM, recently posted to the ha-linux list on this subject.
Alan does not accept patches to the heartbeat code that were developed on company time unless he receives a disclaimer from somebody at the company.
This is obviously spoofable, but it's probably a good way to legally protect the code -- Alan can honestly say he received it in good faith, which keeps IBM's lawyers' from breathing down his neck. It's kind of weird for me, though, I have to send a disclaimer giving myself permission to send in a patch....
So, to answer your question: explain to your CEO why helping the OSS community helps you to help your company, and get her/him to sign off on a policy that allows you to do so. Ask for legal authority to be delegated to yourself (or your boss) to license or assign corporate intellectual property to open-source projects. Then have HR propagate the policy to your co-workers.
I feel like a fish catching a hook, but I'll reply for a bit. First off, this is off-topic. This story is about someone using opensource software in business services and wondering how to contribute changes/improvements back to the community while keeping his company's IP separated.
Second, open source models for profit are not based on the sale of the software, so since opensource companies don't sell their software, don't assume they aren't profitable. You don't credit Red Hat and Caldera with any development, but they most certainly do contribute and make their money off of both support and the package they sell their OS in. They prepare everything for a user to have a complete OS and that requires many tweaks to everything for uniformity and integration. They also develop and maintain OS updates as patches become available so their users can update their systems.
Your discussion against why opensource software is not better than commercial is only in talking about how gcc is not up to par with commercial compilers, but you haven't proven that point. As a cross-compiler, I'll bet gcc is probably one of, if not the, best out there. I guess it won't compile as well for a P4 as an Intel designed P4 compiler, but those details are tough to notice and not so applicable. Then your argument here trails into how there aren't enough qualified contributors in the opensource world to make competitive software, while I would suggest that there is more qualification in the opensource world. Since you didn't support your argument, I won't support this to save space and at least match the convincing-ness of your argument.
You say that opensource software was not responsible for the internet's success, but open protocols were. The first step was open protocols with clear definitions. The next was software to implement them, which is still largely opensource. Apache, BIND, sendmail are always at the top of the list and I promise if you turned off every Apache, BIND, and sendmail server right now, you wouldn't bother trying to use what's left of the internet.
By the way, how does Netscape's contributions to opensource help them make a profit? I've never felt inclined to buy Netscape's enterprise servers simply because I use Mozilla.
And this document won't be recopied or redistributed by me, as I'm not as willing to make a fool of myself like you have. But then again, I did bother to write this long reply.... oh well.
-N
I've nothing to say here...
Where I'm working right now (TimeSys), I've been involved in contributions to Eclipse and Cygwin. Here's some advice:
ASSUME THAT YOU ARE NOT ALLOWED TO RELEASE ANYTHING WITHOUT PERMISSION.
If there's no clear policy already in place, ask. You probably don't have the authority to act as an agent of the company with regard to making decisions about IP. (If you don't know for sure whether you have that authority or not, you should assume not until someone tells you otherwise.) Keep pushing the suggestions/requests up the chain of command until you reach someone who has the authority to say "yea". They may still tell you "nay", but at least you'll be getting a decision on the matter instead of an "I can't make this decision, I don't want to bother my boss, so I'll just say no" response.
START WITH SOMETHING SMALL.
In my case, it was getting permission to submit patches to correct bugs - very small, very simple, very non-threatening things. The argument was that we could submit the patches, or go through the pain of developing the same patches again with each new release of the software we were using. That's a good way to get the foot in the door: show that there's a benefit to submitting patches that outweighs any perceived risk. If you can show that you spend X days out of every release cycle generating the same ol' patches again and again, it's an even more convincing argument.
DON'T PUSH TOO HARD.
For some companies, this is a big step to take. Let the folks who make the decisions think about the idea, answer their questions honestly, and be persistent without harassing them every day about the issue. You don't want to have them tell you "no" just so you'll quit bugging them.
BE HAPPY WITH WHAT YOU GET.
I don't mean that when you get the first "no", you should give up. You need to be reasonable in your expectations - IMHO, submitting patches for bug fixes is fairly minor, and the reaction to that request should give you an idea of how receptive your maangement might be towards the idea of more substantial work & contributions.
My employer lets us submit bug fix patches freely for one project, at the developer's discretion. Minor feature additions in the same project require approval, which is generally easy to get. Other projects require management approval for all patches, no matter waht. Some projects that require copyright assignments are still in the "we're considering it" phase, and may never be approved. We've contributed at least one large chunk of original code to a project, and are considering doing it for a couple of others, as well, because while we want the software to have feature X, we don't want to have to maintain feature X. That's a pretty good argument to try if you're trying to get approval to submit a patch that adds a feature or functionality to an existing project :-)
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
I'm also a consultant, working for a not-for-profit, and I added a specific contract clause allowing me to contribute to OSS.
:)
The big code issue for my client was that they wanted explicit ownership of the code. They didn't want partial ownership, or to give me the rights to reuse the code, etc. I wanted the right to reuse what I developed elsewhere. We ended up compromising with a clause that allowed me to contribute any "fixes or improvements" to open source code back to the community. Interestingly, they were quite willing to accept this clause at contract time.
So I actually have an explicit contractual clause that allows me to contribute back. It makes me happy.
Try explaining to a client how you just charged them to add some functionality to something that will be used by others for free. It's great karma, but most suits aren't too interested in karma...
Another problem is that most people are more interested in short-term costs. Look at all the publicly-traded companies that will lay off people in order to boost their stocks in the short-term. The only people that really care about long-terms costs are either people in direct ownership or people with some level of perspective. Most grunts these days are probably figuring they won't be around at a specific company for long (whether it's their choice or the choice of someone else). And the best way to look good quickly is lowering short-term costs...
If all you have are silver bullets, everything looks like a werewolf.
Not in my experience. Some do, some don't. Many people don't even have contracts, but company policies usually exist regarding IP that is produced while employed at said company.
In some cases those restrictions even extend to one's free time. If you work for a company that develops software and decide to write some OSS on your own time, you could very well be putting your job at risk.
The moral: read the fine print before signing and/or going to work someplace.
This only works so well though. Many companies have small print that they basically own your brain while you work for them. Even IBM, which pays people to work on open source code has some paperwork for you if you want to work on your own projects. I believe it's fairly straightforward as long as you're not making money off something that looks a lot like your job but you Do have to fill it out. It does make sense from the company's perspective - they don't want to pay you to work on some propriatary code and then have you go home and use the expertise they paid you to gain to apply the same features to a free product that's their competition. Sadly I don't know the actual process one has to go through so I can't be of any help to whoever asked this.
I'm a consultant, paid for my time and the IP I develop. I would not dare to risk cross-contamination by doing anything more than downloading and using open-source packages at the office.
As a fellow consultant, I have a few questions for you:
1) Do your clients require that *you* wrote it, or that the thingamajig works?
2) Do your clients mind if sections of their codebase that aren't part of the core deliverable (libraries and the like) improve with time without further investment on their part?
3) Do you read the licenses for the stuff that you develop in proprietary software to ensure that "contamination" is not happening there, too? Some of the EULAs for compilers and IDEs can be quite frightening when you actually READ them.
I use *alot* of GPL and LGPL stuff in my work. The key is to ensure that the GPL stuff is called as an external process, (so it's effectively its own program) and the LGPL stuff sits in its own, separate file.
I contribute changes and improvements constantly.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
if you were my employee, and you wasted your time writing 'md5deep', you'd be fired. this is a 5 minutes shell script.
md5deep, reimplemented in shell, for your benefit. not tested, i'm sure there are some bugs. yes, it could use refinement, but this is a one minute job.
recursion:
$ find . -type f | xargs md5sum
time estimation:
#on my machine i get about 40 megs per second
#using md5sum (openssl is faster)
echo "`du -sk | cut -f1` / 40000" | bc
Clauses about owning what you do on your own time don't usually hold up in court, and I've yet to run into a client who wasn't willing to stroke that section out of the contract when I explain why it's an issue for me and my career.
The two places I've worked that leveraged OSS were good about posting their enhancements, one works directly with the developers for a key OSS product they use. (It's been a big benefit to both -- the OSS developer has been adding features they need, and they've been providing him a "real life" debug environment with a highly skilled team and solid feedback.)
I've always specifically steered clients away from GPL libraries, as their business IP isn't worth risking when there are LGPL (or equivalent) libraries that do the same job. Rah-rahs for the GPL and all that, but banks and financial companies aren't even going to consider putting their internal processing systems out as GPL software, and don't qualify for internal-use-only exceptions in most cases.
I do not fail; I succeed at finding out what does not work.