Properly Contributing to Open Source While on Company Time?

egeorge asks: "I was wondering what kind of paperwork/policies developers have at their jobs concerning contribution to open source projects. I develop software at a company that derives almost its entire revenue from software. Some software is licensed to customers, some is run internally in a service model, but the software is our whole business. We have recently been doing more and more modification and customization of open source products, and we would love to give some of this back. As developers, though, some of us are a little hesitant to just start flinging code that technically still belongs to the company out into the world. We want to make sure we get clarification about what is or is not covered by our NDAs. So, what kind of procedures do other developers have to go through to get adequate coverage for Open Source submissions? I would like to suggest a policy to my superiors, and could use a few good suggestions."

before the brainless GPL zelots jump on him..

[autopr0n]

keep in mind the GPL allows for internal use of modified software without releasing the source code.

Re:before the brainless GPL zelots jump on him..

[dubious9]

Yes, but its in your best interest to release your changes back to the communtiy so you won't have to manually merge code in later versions.

When our company needed to use some open source, we had a meeting with the legal department. Basically what they said is that if it didn't contain any proprietary information relating to our line of business then we could release it. Since the project just converted xsl to rtf then we didn't have to worry about it and got a green light.

Since we've put it into production and release the changes we made back to the community there have been 3 releases that we don't have to maintain ourselves. The whole thing probably saved us about a man year.

A quick list

• Don't ask for permission. What they don't know, can't hurt them!
• Be like Nike; Just Do It! Need to write a routine for the internal process? Just slap the GPL on top and release it on Sourceforge.
• Make use of the resources available. Do you not have enough time to work on your own projects? Just circumvent the firewall and telnet to your home machine. The office is more comfortable, anyway.
• It works the other way you know. Need a routine for an internal project? Just use it and release the changes.
• If all else fails; lie. Claim it wasn't you. Cover your tracks. Call the BSA if you need a diversion in a hurry.

Thats what I did when I was at SCO, anyway!

And in other news...

...How to run an ebay business selling your company's items

Forgiveness easier to get than permission?

[Saucepan]

From past experience I've found that asking upper management for permission to contribute code results in them hemming and hawing, thinking about it for six months, and eventually just saying "No" when pressured for an answer.

This makes sense when you think about it from their risk-averse perspective: releasing even small pieces of otherwise-useless specialized code is all downside and no upside.

On the plus side you might might improve goodwill with a small number of open source developers. But on the minus side you might be exposing the company to liability, accidentally revealing sensitive information, or inadvertantly helping your competitors. Plus, management always has to worry about shareholders second-guessing them -- possibly resulting in a shareholder lawsuit -- if the IP you give away is later perceived to have been very valuable.

Given all this, a dangerous but more pragmatic idea might be to just go ahead and contribute at least the small stuff like your patches and bugfixes. As long as you have no official policy forbidding this you can point out that it's just the standard way things are done when working with open source tools.

Let me be clear that I am not actually advising anyone to do this. More just.. thinking aloud.

Government Copyrights in Canada

[IncohereD]

Lucky bastard....Her Majesty the Queen of England of all people holds the copyrights on MY code. :)

A cautionary tale

I'm posting AC for my own safety. I made changes to an open source package for my employer. Since the changes were for an internal package (we didn't release binaries to the public) I was told by my boss that submitting the changes to the package maintainer would be a violation of my NDA. I discovered after I left the company that my changes were eventually submitted to the package maintainer, and that my boss had taken credit for them.

The moral of the story: get the company policies in writing before you start making changes to an open source package.

Re:Simply put: I DO

[Ngwenya]

Well, sometimes I will be working with a OSS software package and I see a way to make a little change to make it better, or fix a bug. Why should any employer/client worry about that?

Vicarious liability, for one reason. Your employer (in most jurisdictions) is at least partly responsible for your actions whilst you are in their employ, and on their time. It hardly seems fair for them to be expected to assume liability without having the capacity to mitigate it, does it?

And all the disclaimers in the world won't help you if a case can be made for malicious code being deliberately released - your company would still be accountable.

--Ng

Re:Are you modifying/shipping Open Source?

[Zathrus]

If it's true GPL code and they're distributing it to outside customers, well, they're idiots. Because they now either have to remove the GPL code entirely or release the entire application under the GPL.

If it's LGPL then they need only release any modifications to the library or other LGPL'd code they did. Or, again, remove the LGPL code -- presuming they're distributing it at all.

If it's BSD or similar it's irrelevant, as you said, as long as they keep the copyright notices, etc. in tact.

Essentially, check the license before you use the code and know what it means. We use a great deal of LGPL, BSD, and public domain code in our products. We stay away from GPL though -- we don't have any intentions of distributing at this point, but if we did we'd rather not have that problem.

As far as remitting work back to the community - talk to your managers. If your managers are decent then they'll understand the issues involved. It may take some time, but most likely you'll be given the OK. After all, think about what you've modified in the code -- does it give any advantage to your competitors? Does it reduce the value of your product to your customers? Are the changes bugfixes or new logic that's only applicable to your company?

Actually, we do have one GPL program that we've modified... vsftpd. Again, no plans on redistributing it, but if we did it'd be no problem submitting the changes. They're deeply specific to our company and our usage and would utterly screw up anyone else who used them (things like automatically assuming paths on puts and gets so our customers don't have to do cd, and automatically moving files on completion of transfers (which might be useful)).

Do not work on OSS during company time though, not without explicit written consent. And many companies are now claiming anything you work on, even outside of work, to be their IP (which is on somewhat shaky grounds)... so if you want to work on OSS outside of work, check your contract and get a release from management if needed. Don't just do it -- in the worst case you're really, utterly screwing the project to the point where it may have to be removed from the net (at least officially). Most companies won't give a crap, as long as you're not doing it on company time and it's not competing with them.

Repost

It seems you've posted this article (from 1998, not 1999) a few times already.

Do you work for Microsoft?

Advice from the HA-Linux list

[Medievalist]

Alan Robertson, who maintains the heartbeat package and works for IBM, recently posted to the ha-linux list on this subject.

Alan does not accept patches to the heartbeat code that were developed on company time unless he receives a disclaimer from somebody at the company.

This is obviously spoofable, but it's probably a good way to legally protect the code -- Alan can honestly say he received it in good faith, which keeps IBM's lawyers' from breathing down his neck. It's kind of weird for me, though, I have to send a disclaimer giving myself permission to send in a patch....

So, to answer your question: explain to your CEO why helping the OSS community helps you to help your company, and get her/him to sign off on a policy that allows you to do so. Ask for legal authority to be delegated to yourself (or your boss) to license or assign corporate intellectual property to open-source projects. Then have HR propagate the policy to your co-workers.

Been thre, done that - some advice

[Samrobb]

Where I'm working right now (TimeSys), I've been involved in contributions to Eclipse and Cygwin. Here's some advice:

ASSUME THAT YOU ARE NOT ALLOWED TO RELEASE ANYTHING WITHOUT PERMISSION.

If there's no clear policy already in place, ask. You probably don't have the authority to act as an agent of the company with regard to making decisions about IP. (If you don't know for sure whether you have that authority or not, you should assume not until someone tells you otherwise.) Keep pushing the suggestions/requests up the chain of command until you reach someone who has the authority to say "yea". They may still tell you "nay", but at least you'll be getting a decision on the matter instead of an "I can't make this decision, I don't want to bother my boss, so I'll just say no" response.

START WITH SOMETHING SMALL.

In my case, it was getting permission to submit patches to correct bugs - very small, very simple, very non-threatening things. The argument was that we could submit the patches, or go through the pain of developing the same patches again with each new release of the software we were using. That's a good way to get the foot in the door: show that there's a benefit to submitting patches that outweighs any perceived risk. If you can show that you spend X days out of every release cycle generating the same ol' patches again and again, it's an even more convincing argument.

DON'T PUSH TOO HARD.

For some companies, this is a big step to take. Let the folks who make the decisions think about the idea, answer their questions honestly, and be persistent without harassing them every day about the issue. You don't want to have them tell you "no" just so you'll quit bugging them.

BE HAPPY WITH WHAT YOU GET.

I don't mean that when you get the first "no", you should give up. You need to be reasonable in your expectations - IMHO, submitting patches for bug fixes is fairly minor, and the reaction to that request should give you an idea of how receptive your maangement might be towards the idea of more substantial work & contributions.

My employer lets us submit bug fix patches freely for one project, at the developer's discretion. Minor feature additions in the same project require approval, which is generally easy to get. Other projects require management approval for all patches, no matter waht. Some projects that require copyright assignments are still in the "we're considering it" phase, and may never be approved. We've contributed at least one large chunk of original code to a project, and are considering doing it for a couple of others, as well, because while we want the software to have feature X, we don't want to have to maintain feature X. That's a pretty good argument to try if you're trying to get approval to submit a patch that adds a feature or functionality to an existing project :-)

I added an explicit OSS clause to my contract

[phamlen]

I'm also a consultant, working for a not-for-profit, and I added a specific contract clause allowing me to contribute to OSS.

The big code issue for my client was that they wanted explicit ownership of the code. They didn't want partial ownership, or to give me the rights to reuse the code, etc. I wanted the right to reuse what I developed elsewhere. We ended up compromising with a clause that allowed me to contribute any "fixes or improvements" to open source code back to the community. Interestingly, they were quite willing to accept this clause at contract time.

So I actually have an explicit contractual clause that allows me to contribute back. It makes me happy. :)

Re:Copyright

[Spazmania]

Yes and no.

If you are an actual employee, paid a salary or paid hourly where they withhold taxes and social security and what not, then any work done within the reasonable scope of your employment is considered work made for hire, thus the copyright vests in the employer rather than in you.

However, in almost every other circumstance, the copyright vests in you and must be explicitly transferred. This means that if you're a consultant, you own the work. Or if you're paid by the job, you own the work. Or if the work isn't reasonably within the scope of your employment, you own the work.

Some examples:

You are a janitor at the local school. While at work, you go into the computer lab and write the next Microsoft Windows. Who owns the work? You do. Although done on your employer's time and facilities, it was not within the scope of your employment. (Note however that the school can fire you and sue for misuse of facilities.)

A local ISP pays you $1000 to write a spam filter. Who owns it? You do. You were not an employee of the ISP.

A local ISP pays you $1000 to write a spam filter. You sign a contract which says, "I agree to write a spam filter and the copyrights belong to the ISP." Who owns it? You do. You can't assign rights to a work that hasn't yet been created.

A local ISP pays you $1000 to write a spam filter. After writing the software you sign a contract which says, "I assign the rights to this software to the ISP." Who owns it? The ISP does. You did first, and then you assigned the rights.

Here's a tricky one:

You work (as an employee) for a company writing accounting software. You sign an employment contract which says, "All software I write while employed by the company belongs to the company." In your spare time you write a spam filter. Who owns it? You do. A court would find that the actual fact was that accounting software was the scope of your employment. The only software that's work made for hire (whose copyrights vest in the employer) is the software written within the scope of your employment. And, as previously mentioned, you can't assign copyrights for something you havn't written yet.

What if you wrote the next Lotus 123? Then the company would own it. A spreadsheet is reasonably accounting software which was within your actual scope of employment.

Here's a trickier one:

You work (as an employee) for a company writing accounting software. You sign an employment contract which says, "I will assign rights to the company to all software I write while employed." In your spare time you write a spam filter. Who owns it? You do. That's right, you do. BUT, you have a valid contract with your company which compells you to write a document which says, "I assign the rights to this software to the company." If you fail to do so, you are in breach of contract.

What about when the contract said, "All software I write while employed by the company belongs to the company?" Are you in breach of contract if you don't assign the rights? You are not. There was no requirement to assign the rights, on an element stating that the rights belong to the company. That element in the contract is contrary to the governing law. If your contract allows it (most do), that element would be severed from the contract. Otherwise, the entire contract would be voided.