What happens when you read that “GPL Code Found In OpenBSD Wireless Driver” and “Google used rival’s database ‘inadvertently‘” within a few days of each other?

Well, I call up a friend/colleague in legal and pose a hypothetical scenario:

Let’s imagine I had a beef with the OSS business model or with a vendor delivering OSS software. Let’s further assume I had enough development skills to write more than <? echo “hey, come here often?” ?>. Next, let’s assume that I fix a bug in OSS_Project_X or better yet, I get commit access to OSS_Project_X and add a new feature. My contributions get accepted and distributed with the next version of OSS_Project_X. Fast forward six months. It comes to light that the code I submitted was actually not my IP. I’d copied that code from another OSS project with a conflicting license, or worse, from a commercially licensed piece of software (to which I had source code access, i.e. I worked at a software vendor).

The question to my colleague was: Now what?

Colleague in Legal (CiL): Well, first of all, I’d want to know if you’d signed a Contributor License Agreement (CLA) (i.e. like this one from Apache). Essentially, were you legally entitled to contribute the IP.

Savio: Okay, let’s say I did sign a CLA and lied, but oh well. Does it really have a lot of weight?

CiL: Well, from a legal standpoint, that CLA you signed is valid. Or said differently, it’s better to have a CLA in place than not. But anytime we redistribute OSS code inside, or alongside, an IBM product, we do a code scan of every line in the product. We look for copyright headers on files or functions and inside of license files. If we’re not sure the license attached to any portion of the code, we don’t use it.

I’m interested in what a typical OSS vendor, or someone like SpikeSource or OpenLogic does in this area.

From what I can tell, most larger OSS projects have a CLA process in place (i.e. Apache Projects, JBoss Projects, Alfresco, Compiere). But, there wasn’t a whole lot of consistency on sourceforge.net projects around CLAs. Could it be that smaller-scale OSS projects don’t consider CLAs as a priority? Which may be a fair trade-off, until a smaller project gets included in a larger OSS project (but I guess that the larger OSS project would consider CLA ramifications before doing so).

I’d also be interested if a typical OSS vendor does any code scans on contributions? This may actually be a bigger deal for someone like SpikeSource or OpenLogic who is collecting OSS piece-parts from lots (hundreds) of different projects, with different governance models and licenses, and doesn’t really control the code coming into the projects.

The GPL/BSD driver issue & Google’s “mistake” highlighted for me that, as a customer, I’d be more interested in what a vendor is doing to ensure that I’ll never need the indemnity clause, than the clause itself.