Versata Software, Inc. learned the high cost of failing to manage the use of free and open source software (FOSS) in its proprietary DCM software: its routine attempt to terminate a license for its DCM software exploded into several lawsuits resulting in eight of Versata’s clients being sued by XimpleWare Corporation, the owner of some software embedded in the DCM software. The cases1 arose from Versata’s alleged failure to comply with the license for XimpleWare software, General Public License version 2 (GPLv2), the most widely used license for FOSS.

FOSS is used by companies across industries that include everything from automobiles to consumer electronics. Yet many companies do not properly manage its use. In August 2014, Gartner reported that less than half of IT organizations have an effective FOSS use policy, noting that by 2016, “the vast majority of mainstream IT organizations will leverage nontrivial elements of OSS (directly or indirectly) in mission-critical IT solutions. Consequently, IT organizations must learn to manage hybrid portfolios that contain both OSS and CSS assets.”Costly disputes are likely to increase as FOSS is treated more as a standard part of the software ecosystem rather than an exotic exception.

In the past, FOSS licenses have been enforced by members of the community (such as the Software Freedom Conservancy or the Software Freedom Law Center), which focus on compliance. The Versata cases represent a potential major shift in FOSS compliance, where commercial (or monetizing) enforcers may become more common and seek monetary and other more traditional remedies for contract breach. These developments mean that both software distributors and users need to adopt and manage a robust process to manage the use of FOSS and ensure compliance with FOSS licenses. The failure to do so could be expensive.

Key organizations that enforce the GPLv2 recently provided guidance on GPLv2 compliance: on October 30, the Software Freedom Law Center published the second version of its Practical Guide to GPL Compliance; and a few days later, the Software Freedom Conservancy and the Free Software Foundation published the first version of their guide, the Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide 

Anyone managing FOSS compliance should read the Versata cases and these guides, and should track new developments in the Versata dispute. All companies distributing and using software should ensure they understand and can comply with their FOSS license obligation(s).

Companies distributing software should take the following steps:

  1. Understand what FOSS is included in your products. Most companies simply don’t know and need to use a scanning product like Black DuckPalamida or fossology.
  2. Develop a FOSS use and management policy to ensure you understand your obligations and can comply with them.
  3. Review your distribution agreements to ensure they take into account any terms imposed by FOSS licenses in your product.

Companies using software should take the following steps:

  1. Understand what FOSS is included in software that you are using. Consider using the scanning tools referenced above.
  2. Ensure that you have a FOSS use and management policy to comply with FOSS license obligations.4 As IT infrastructure has become more complex and the use of third parties has increased, ensure that your FOSS use policy takes added complexities into account