OSNews:

OSNews: http://www.osnews.com/story/19230/HP_Develops_Tools_to_Track_Down_OSS Exploring the Future of Computing en-us Copyright 2001-2012, David Adams adam+nospam@osnews.com Wed, 15 Feb 2012 13:58:18 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Why? http://www.osnews.com/thread?298229 http://www.osnews.com/thread?298229 What a useless product. Why would using OSS pose management and legal problems? Sounds like FUD to me. Tue, 29 Jan 2008 18:15:00 GMT donotreply@osnews.com (NxStY) Comments If you say so... http://www.osnews.com/thread?298232 http://www.osnews.com/thread?298232 "...to help companies address the potential legal, financial and security risks involved in the
adoption of free and open source software."

Right. Tue, 29 Jan 2008 18:43:00 GMT donotreply@osnews.com (rexstuff) Comments Much ado about nothing http://www.osnews.com/thread?298233 http://www.osnews.com/thread?298233 Business people try to pinch a dollar out of you no matter what you are doing.

If you don't know what you have installed on your systems, ask your system administrators to keep updated documentation on how your network is set up and evolves. Make it part of their job evaluation. Tue, 29 Jan 2008 18:45:00 GMT donotreply@osnews.com (porcel) Comments RE: Why? http://www.osnews.com/thread?298236 http://www.osnews.com/thread?298236

What a useless product. Why would using OSS pose management and legal problems? Sounds like FUD to me.

OSS/copyleft projects can be very talented at hiding their licenses in obscure places. Additionally, there's currently no law requiring that open-source projects identify themselves as such in marketing and during installation so the user can opt out, so many people use open-source programs unknowingly. Tue, 29 Jan 2008 19:17:00 GMT donotreply@osnews.com (Almafeta) Comments RE: Much ado about nothing http://www.osnews.com/thread?298240 http://www.osnews.com/thread?298240

Business people try to pinch a dollar out of you no matter what you are doing.

HP has released this as GPL. Although I can't seem to find an application for it within my company, HP is not charging for the ability to use it. Tue, 29 Jan 2008 19:27:00 GMT donotreply@osnews.com (jharrell) Comments RE: If you say so... http://www.osnews.com/thread?298242 http://www.osnews.com/thread?298242

"...to help companies address the potential legal, financial and security risks involved in the
adoption of free and open source software."

Right.

I don't think anyone will quibble about security risks running unknown copies of open source; if it's unknown, it is likely not going to be upgraded when security flaws are discovered and fixed.

As for financial and legal risks, there are, in fact, legally encumbered binaries (at least in some jurisdictions) which cannot be copied under the license terms. While this can be overcome by building equivalent binaries from the source (which does require some work), not doing so could result in risks, however small in practice. Tue, 29 Jan 2008 19:34:00 GMT donotreply@osnews.com (james_parker) Comments RE[2]: HP has released this as GPL http://www.osnews.com/thread?298252 http://www.osnews.com/thread?298252 So, this is a great solution to the "issues" you have raised. Tue, 29 Jan 2008 20:07:00 GMT donotreply@osnews.com (glarepate) Comments RE: Why? http://www.osnews.com/thread?298262 http://www.osnews.com/thread?298262 "What a useless product. Why would using OSS pose management and legal problems? Sounds like FUD to me."

In general there would be none. The one time it could pose a risk is if you are a software development house. That can cause legal problems if a developer uses the GPL versions of the files versus the paid for ones, such as with QT. That is the management/legal problem. Mainly because if the prodct can not be GPL for whatever reason, such as being a DoD project or such. Tue, 29 Jan 2008 21:27:00 GMT donotreply@osnews.com (DrillSgt) Comments HP is having problems http://www.osnews.com/thread?298265 http://www.osnews.com/thread?298265 as far as we can see. They want licenses to be sold.
HP-UX is pretty arcane, incomplete, runs on hardware that isn't avalable anymore (PA-RISC) and now they bet in Itanium. Even a DVD set will cost you list price $800 or so.

HP has a hard time and they try to compensate.. Tue, 29 Jan 2008 21:37:00 GMT donotreply@osnews.com (sgibofh) Comments Comment by i3X171UM http://www.osnews.com/thread?298271 http://www.osnews.com/thread?298271 "There is a significant benefit for enterprises to understand how much of this software they have and be able to manage it. Companies are running huge risks -- financial and otherwise -- by not knowing what open source software they're using and therefore not knowing what license obligations and security violations come along with it," Martino said.

That was the only explanation in the article. I tried to play devil's advocate and come up with some legally compromising scenarios of my own, but I honestly couldn't.

If anyone is curious, you can download the tool here: http://www.fossology.org/. It's GPL, somewhat ironically.

Ed: it appears to scan local files for text in 30 types of OSS licenses (\agents\foss_license_agent\Licenses\Raw\) and store the results in an sql-based "fossrepo."Edited 2008-01-29 22:19 UTC Tue, 29 Jan 2008 22:06:00 GMT donotreply@osnews.com (Alex Forster) Comments Comment by sorpigal http://www.osnews.com/thread?298272 http://www.osnews.com/thread?298272

"HP gave an example of a recent customer that had three times as many FOSS licenses as originally estimated -- 75 licenses rather than 25. This left customers with a choice: implement governance policies to allow the safe use of FOSS, or replace the software at an estimated cost of $80 million."

75 FOSS licenses? Really? I assume this does not refer to having software under 75 different OSI-approved license terms in their organization, but rather to having 75 devices running on FOSS software under licenses unknown.

Does HP mean to imply that not obtaining (read: paying for) licenses for FOSS software is somehow illegal or against government policy? I find this somewhere between comical and disingenuous. Is it unsafe to use unpaid-for software, even if that is in compliance with its license?

I understand that some organizations might like to know how much unapproved FOSS software has crept in to their infrastructure, purely for informational and planning purposes, but to advertise this service in a way that suggests that they are ferreting out illicit or illegal installations and making people pay for them is... unpleasant. Tue, 29 Jan 2008 22:08:00 GMT donotreply@osnews.com (sorpigal) Comments What about Windows http://www.osnews.com/thread?298291 http://www.osnews.com/thread?298291 I wonder if they make one for Windows and Proprietary software? I mean I have always wondered how any body could determine that a Binary only distributed applications could be checked.Edited 2008-01-30 00:04 UTC Tue, 29 Jan 2008 23:58:00 GMT donotreply@osnews.com (de_wizze) Comments RE[2]: If you say so... http://www.osnews.com/thread?298329 http://www.osnews.com/thread?298329

I don't think anyone will quibble about security risks running unknown copies of open source; if it's unknown, it is likely not going to be upgraded when security flaws are discovered and fixed.

While unknown copies of proprietary programs are, by contrast, not subject to these issues.Edited 2008-01-30 01:40 UTC Wed, 30 Jan 2008 01:39:00 GMT donotreply@osnews.com (sbergman27) Comments RE[2]: Why? http://www.osnews.com/thread?298351 http://www.osnews.com/thread?298351

Additionally, there's currently no law requiring that open-source projects identify themselves as such in marketing and during installation so the user can opt out, so many people use open-source programs unknowingly

There's no law requiring closed source software to indentify themselves as such in marketing and during installation so many people use closed source programs unknowingly. Wed, 30 Jan 2008 02:57:00 GMT donotreply@osnews.com (Soulbender) Comments RE[2]: If you say so... http://www.osnews.com/thread?298352 http://www.osnews.com/thread?298352

I don't think anyone will quibble about security risks running unknown copies of open source;

Please explain how this is different from running unknown software that isn't open source. Wed, 30 Jan 2008 03:00:00 GMT donotreply@osnews.com (Soulbender) Comments Comment by Soulbender http://www.osnews.com/thread?298355 http://www.osnews.com/thread?298355

Wow. Welcome to the land of bullshit.
Seriously, that sentence makes no sense. Did they have software licensed under 75 different OSS licenses? Did they have 75 users of some OSS software that is per-seat licensed? Or something else entirely? What governance policies?

"Open source software is different than traditional proprietary software

Other than how it's licensed it's no different.

and most people don't know how much they have embedded in their hardware."

What? Embedded in the hardware? Why the fsck would that matter? If it's embedded it comes with the damn product. Why does it matter if a hardware device is using OSS or not?

Users have uniformly told us that they don't know how much open source software they had

I doubt "users" know how much software they have, regardless of license.

FOSSology and FOSSBazaar are completely free, but HP refused to issue pricing for its Health Check Services, which vary depending on the service.

Wow really. No price eh? There's a surprise for ya.

You know, if they had said that it helped you find unknown OSS software so you could keep track of it and keep it updated that would have been one thing but this, this is just bullshit,Edited 2008-01-30 03:28 UTC Wed, 30 Jan 2008 03:27:00 GMT donotreply@osnews.com (Soulbender) Comments RE: Why? http://www.osnews.com/thread?298363 http://www.osnews.com/thread?298363

What a useless product. Why would using OSS pose management and legal problems? Sounds like FUD to me.

Well, the FSF is taking an aggressive stance now with pursuing legal action against GPL violators.

Steve Ballmer is beating a tin drum about OSS projects violating MS IP.

Sun themselves are in a two-way lawsuit over patent violations in ZFS.

Trend Micro is barking patent claims against ClamAV, which is integrated into a surprising number of commercial enterprise-class security applications/products.

Linux kernel devs like Grek KH claim that closed drivers such as nvidia's are GPL violating, whereas Linus himself disagrees.

Qt respects a multitude of OSS licensing options but requires a commercial license for any applications that don't meet those OSS requirements.

The list goes on...

It's one thing to argue semantics on a tech-oriented forum such as OSNews. It's completely different to argue them with compliance-regulated commercial organizations that risk liability for license violations.

This isn't a bad thing HP is doing, so let's take the tinfoil hats off for a second and stop assuming that they're somehow trying to undermine OSS adoption, particularly considering they are a significant backer and contributor to OSS.

Commercial organizations operate under different priorities and requirements than your average tech enthusiast. Despite the growing adoption of OSS within enterprise class organizations, it's still a scary concept for many CIO's to try and navigate the requirements and obligations of various OSS licenses, particularly if they're creating software applications around them. Sarbox also implies a requirement for due diligence when it comes to things like IP issues, so execs often discard alternatives in favor of the warm and comfy proprietary licenses they are familiar with, complete with legal indemnity.

If you've got a bone to pick, don't blame HP. Blame MS for bringing up the issue of IP compliance to enterprises when it comes to OSS. Used appropriately, this is a tool for OSS-favorable CIO's to get a measurable handle on how non-proprietary tech is being used within their organizations.

I see the glass as being half-full, but I imagine that there will be many that insist on seeing it half-empty. Wed, 30 Jan 2008 04:17:00 GMT donotreply@osnews.com (elsewhere) Comments Answer : Lot of Illegal BSD code http://www.osnews.com/thread?298379 http://www.osnews.com/thread?298379 Most of BSD and OSS is illegal and raise flag about there provenance and sustainability in court , unlike GNU/Linux and real Free Software it as not been proven as legal.

Lots of Management are paid or convinced to remove FOSS for Proprieatry solution , they just don't know the real cost of there decision.

HP is trying to be legal here and a lot of OSS is illegal , not to be compared to GNU/Linux and Free Software who is always legal and most OSS need to be removed completely as it is a liability for company. Wed, 30 Jan 2008 05:40:00 GMT donotreply@osnews.com (Moulinneuf) Comments HP need to read the license. http://www.osnews.com/thread?298386 http://www.osnews.com/thread?298386 FTA:

If it really is FOSS, then it is absolutely free to "use" (that is, to run). Free as in freedom AND free as in beer. It says so right in the license.

The only restriction comes when you are a software developer yourself, and only then if the code that you produce actually includes FOSS source code within it, and only then if it is licensed under a copyleft FOSS license (such as the GPL) rather than a permissive FOSS license (such as BSD), and only then if your product itself is closed-source.

So are HP trying to claim that their customer was a developer who had released 75 closed-source applications which included copyleft FOSS source code, when they thought they had made only 25 applications?

HP's customer needs to buy $80 million dollars worth of free software? Is that a silly claim or what? HP are sounding utterly stupid with this press release. Either stupid or ignorant of what the licenses actually say.

If I were a non-developer customer of HP's and HP tried to scare me into buying a HP product with FUD like that, I would drop HP like a ton of hot bricks.

Even if I were a software developer, I'd take HP's press release to mean that HP thought that I didn't know what I was doing ... and still I would drop HP like a ton of hot bricks. Wed, 30 Jan 2008 06:00:00 GMT donotreply@osnews.com (lemur2) Comments RE: Comment by sorpigal http://www.osnews.com/thread?298387 http://www.osnews.com/thread?298387 "I assume this does not refer to having software under 75 different OSI-approved license terms in their organization"

No , because most OSS license are not aproved or recognised or identified by the OSI. Also the OSI does not certify the legality or integrity in the face of the law of the license used. just that it meet some of it's basic Open Source criteria.

Example : Heckler & Koch G36 ( a military class assault rifle ) is certified ISO , that's a method of production , the ISO cannot come in court and testify that the G36 is legal and useable as a hunter riffle in CANADA because it's certified ISO.

Now it may come to you as a shock but in some country many OSS license are declared illegal , BSD being one , because they figure the text is incomplete and that it's not really a license but a contract or protection clause.

It's a lie by the BSD that all OSS code is equal and that all are legal.

BSD is not part of OIN for a reason. Wed, 30 Jan 2008 06:09:00 GMT donotreply@osnews.com (Moulinneuf) Comments RE[2]: Why? http://www.osnews.com/thread?298389 http://www.osnews.com/thread?298389

Well, the FSF is taking an aggressive stance now with pursuing legal action against GPL violators.

Applies only to software developers who include GPL code in their own product which they then try to release as closed source and charge people for.

Steve Ballmer is beating a tin drum about OSS projects violating MS IP.

A lot of noise and no substance. Not one actual mention to date of an alleged infringement of an actual patent number from Steve.

Sun themselves are in a two-way lawsuit over patent violations in ZFS.

Has nothing to do with Sun's use of FOSS. ZFS is Sun's own product.

Trend Micro is barking patent claims against ClamAV, which is integrated into a surprising number of commercial enterprise-class security applications/products.

These claims are not against ClamAV itself, but rather are against the manner in which one company has used an anti-virus scanner (any one at all would qualify here) in a firewall product. Lots of prior art would indicate this action doesn't have a prayer anyway.

Linux kernel devs like Grek KH claim that closed drivers such as nvidia's are GPL violating, whereas Linus himself disagrees.

Which one of these is a copyright lawyer? As long as nvidia binaries contain no FOSS code itself, and do not statically link to GPL code (LGPL doesn't matter), then it does not infringe. This is in fact the case AFAIK, so Linus is correct it would seem.

Qt respects a multitude of OSS licensing options but requires a commercial license for any applications that don't meet those OSS requirements.

Like any software at all, if you want to include it in your closed-source product, then you must get permission from the author. The GPL does not give you permission to do that, so you must get a separate license from trolltech. This is no different WHATEVER code you use in your closed-source product ... if you did not write it yourself, you must get permission from the author. That would normally involve paying a FEE. This also has nothing to do with FOSS ... this is use in a commercial product.Edited 2008-01-30 06:22 UTC Wed, 30 Jan 2008 06:18:00 GMT donotreply@osnews.com (lemur2) Comments RE[2]: Why? http://www.osnews.com/thread?298394 http://www.osnews.com/thread?298394 "the FSF is taking an aggressive stance now with pursuing legal action against GPL violators."

Nothing new here , at all , the FSF as won every single case of GPL violation it pursued. Mostly by having the thieve comply before going to court.

The problem is that not all OSS certified code and Free
software licensed code is legal and equal.

GNU/Linux and Free Software is legal and come with patent legality assured and protected.

Where as say BSD is Illegal come with no patent legality and is not insured or reviewed for removal of infringing code. They are not even covered by OIN and are infringing on most of OIN patents ( pretty much almost all patent outside Microsoft ). Wed, 30 Jan 2008 06:25:00 GMT donotreply@osnews.com (Moulinneuf) Comments RE[3]: Why? http://www.osnews.com/thread?298397 http://www.osnews.com/thread?298397

Applies only to software developers who include GPL code in their own product which they then try to release as closed source and charge people for.

NO the FSF will pursu all GPL violation. The thing is most of them comply as soon a sthe FSF show up since it's a legal and recognised license tested in court.

A lot of noise and no substance. Not one actual mention to date of an alleged infringement of an actual patent number from Steve.

Microsoft is sending it's satellite company to do this job as to not appear as the bad wolf with the antitrust regulation they are under in the US. Problem ( for them ) is everyone they send is striked down in court.

Which one of these is a copyright lawyer?

Neither but Linus is known to make illegal and costly legal mistake.

- GPL is the second license of the Linux kernel.
- Trademark is not elgal and recognized worldwide beacuse of him.
- Lots of OSS code he included turned out have to be removed.

so Linus is correct it would seem.

No , Linus just don't know what he is talking about as usual when he goes out of the kernel coding. There is a serious graphic driver problem due to them being mostly OSS , Lot of incompatibilities with upgrade is due to slow fix coming from the proprietary graphice drivers.

There are 6 month to a year gap on the higher end graphic driver cards release. Wed, 30 Jan 2008 06:41:00 GMT donotreply@osnews.com (Moulinneuf) Comments RE[2]: Comment by sorpigal http://www.osnews.com/thread?298419 http://www.osnews.com/thread?298419

It's a lie by the BSD that all OSS code is equal and that all are legal.

Sorry to burst your bubble Moulinef, but it is not at all illegal to write software (as long as you actually write it yourself and refrain from copying someone else's work), nor is it in any way illegal to let someone else run the software you have written. As long as you have written the software, then the law is such that you the author gets to say how others may, or may not, use it.

There is nothing "illegal" about FOSS software. Wed, 30 Jan 2008 09:31:00 GMT donotreply@osnews.com (lemur2) Comments RE[3]: If you say so... http://www.osnews.com/thread?298525 http://www.osnews.com/thread?298525

"I don't think anyone will quibble about security risks running unknown copies of open source;

Please explain how this is different from running unknown software that isn't open source. "

In general, there is no difference. However, in server environments (which this software is geared toward), nearly all closed source software is commercial, and generally requires such things as licence information and root access to install, not to mention a commercial agreement prior to receiving the software.

In contrast, open source can generally be installed without such restrictions, making it far easier to overlook. Wed, 30 Jan 2008 19:42:00 GMT donotreply@osnews.com (james_parker) Comments RE[4]: If you say so... http://www.osnews.com/thread?298550 http://www.osnews.com/thread?298550

nearly all closed source software is commercial, and generally requires such things as licence information and root access to install, not to mention a commercial agreement prior to receiving the software

...

In contrast, open source can generally be installed without such restrictions, making it far easier to overlook.

" nearly all closed source software is commercial, and generally requires such things as licence information and root access to install, not to mention a commercial agreement prior to receiving the software

...

In contrast, open source can generally be installed without such restrictions, making it far easier to overlook.

Open source code does not need "looking over". You are granted permission to install it and run it without any commercial agreement in place. Since you don't need any commercial agreements to install it and run it, what exactly is the point of trying to keep track of commercial agreement papers which don't exist and aren't required? "

You missed the original context of my initial reply; the problem is that if the software is untracked entirely, the software may not be upgraded to pick up fixes for security flaws that are discovered. These known but unfixed flaws pose a risk to the company using the software, especially on servers which are accessed or updated by multiple people.

While being easier to obtain, install, and run is one of the advantages of Open Source, there is a corresponding disadvantage that it is so easy that it can be done with little thought. That in turn makes it easy to overlook the need to install security updates. Wed, 30 Jan 2008 22:40:00 GMT donotreply@osnews.com (james_parker) Comments RE[3]: Comment by sorpigal http://www.osnews.com/thread?298618 http://www.osnews.com/thread?298618 "Moulinef"

M o u l i n n e u f , use copy paste if you can't write my real life name properly.

"it is not at all illegal to write software"

It is when your not legally given the permission to do it.

"There is nothing "illegal" about FOSS software"

I agree.

The problem is with some "OSS" software.

You seem to mix Open Source Software with Free Software as if both are all the time the same and equal all the time.

as for living in a bubble :

hal twokone aka hal 2001 :

http://www.google.com/search?client=opera&rls=en&q=hal+2001...

... Thu, 31 Jan 2008 09:53:00 GMT donotreply@osnews.com (Moulinneuf) Comments I just checked to site out http://www.osnews.com/thread?298621 http://www.osnews.com/thread?298621 And realized that it was like to ultimate flame-bait generator ...

Psst ... are you gonna let them use your code like that?
What are you talking about?
Well something tells me that Abiword might be using your BSD licensed code and the calling the whole thing GPL
Yeah you're right
I'm not saying you have to do something, I'm just saying
No your right !! Thu, 31 Jan 2008 10:45:00 GMT donotreply@osnews.com (de_wizze) Comments RE[4]: Comment by sorpigal http://www.osnews.com/thread?298626 http://www.osnews.com/thread?298626

It is when your not legally given the permission to do it.

Sigh! You really do have a major, major disconnect from reality here.

It is not illegal to write code. You just sit down and type it. As long as it is your own work, no-one can stop you. You do NOT need permission, from anyone.

Once you have written your own work, your very own piece of code ... you are then the author of it. You automatically own the copyrights to it. Not the US government, not Microsoft, not your local pastor ... nobody but you.

As the copyright owner in the code, you may license it however you wish. You set the terms by which others may use it and copy it.

Once again, and with emphasis ... you DO NOT NEED ANYONE'S PERMISSION to write your own code.

http://en.wikipedia.org/wiki/Freedom_of_speech

http://en.wikipedia.org/wiki/Copyright

"Copyright - is a legal concept enacted by most national governments, that gives the creator of an original work exclusive rights to it"

http://en.wikipedia.org/wiki/Free_content

"Because the law by default grants copyright holders monopolistic control over their creations"

Since the creator of a work has control rights over that work, they can choose to do this with it if they so please:
http://en.wikipedia.org/wiki/Free_software

PS: sorry about the mis-spelling of Moulinneuf. That was lazy of me.Edited 2008-01-31 11:23 UTC Thu, 31 Jan 2008 11:20:00 GMT donotreply@osnews.com (lemur2) Comments RE[5]: Comment by sorpigal http://www.osnews.com/thread?298669 http://www.osnews.com/thread?298669 OK ... That's your point. But it as nothing to do with what I said.

copyright ownership on the derivative is what's the problem. Thu, 31 Jan 2008 15:48:00 GMT donotreply@osnews.com (Moulinneuf) Comments