Like a lot of techies and/or Penguin-heads out there, I’ve been following the whole SCO-vs.- [well, everyone] battle that has pitted the small Utah-based Unix company against…well, the entire, global Linux community and beyond.
For those not familiar with the whole mess, here is an encapsulated summary:
SCO says it owns the rights to Unix; SCO says this same Unix code is in Linux, so SCO is busy suing a lot of Linux vendors/users (IBM, Daimler-Chrysler, Autozone) and being sued by others (RedHat, Novell) for same actions.
Yes, that is a greatly over-simplified version of the whole mess. But necessary for what follows.
There was a very good story on Salon.com today (subscription or “view ad get daily pass” required) about the SCO frontal – and the OSS backlash – titled Making the world safe for free software.
In the article, a short summary (far better than mine) outlines the whole issue of SCO vs. [everyone], and what is happening – pre-legal outcome[s] – to combat this issue. In general, it addresses how Linux – or any such non-company product – can survive our litigious times.
The focus of the article is on Open Source Risk Management (OSRM), a company that is trying to act as an independent – yet OSS-friendly – insurance agency for companies using Linux. Notable among OSRM’s hires is Pamela Jones, the Head WebMistress of Groklaw, the simple blog turned open-source legal defense for Linux. Groklaw – the Anti-FUD.
It’s an interesting article and OSRM has an interesting tack on the whole indemnification issue, but – to me – this should be only a first step. Maybe it is; however, neither the article (nor anything else I’ve written) seem to indicate otherwise.
Bear with me, as I’m not a lawyer and just not that bright (obviously…), but here are some of the issues/contradictions I see, as well as comments on the current condition:
- SCO will fail in its lawsuits: However, the whole lawsuit thing was a good wake-up call for the OSS industry/users. This stuff (nuisance lawsuits) – as Pamela Jones notes in the Salon article – are not ever going to go away.
- Copyright laws don’t work for software: Read (Prof.) Lawrence Lessig’s blog at any point for more on this, but there are too many issues with U.S. copyright and software to easily reconcile. If I’m in possession of stolen hard goods (TV, stereo), it can be seized, but – unless I knew it was stolen – I can’t be prosecuted. However, I’m running Linux – legally, I can be prosecuted for buying Linux from a valid company and using it according to the terms set by company even if I have no clue about contested code. That seems…odd…
- Why Insurance?: The whole OSRM concept (as I’ve read it) seem to be to scour the code (what code? Not clear) and then indemify companies that use such. OK, I get it, but this feeds nuisance lawsuits in two ways:
- It gives the potential plaintiffs “deeper pockets” (insurance dough) for nuisance lawsuits to target.
- It puts the burden (cost) on the end user (say, me, a Linux user) rather than the provider (RedHat, SuSE etc.).
- Why not an Underwriter’s Laboratory (UL Listed) concept?: This is the logical extension of what OSRM is doing, but they don’t seem interested in doing such. How would it work?
- Linux vendor (RedHat, SuSE etc.) grabs a certain Linux tarball, attaches some of it’s own stuff (maybe) and submits it for approval. Pays for this review. (Also an incentive for competing companies to at least agree upon a base kernel so the cost can be shared; added libraries or proprietary code is extra).
- OSRM does the code review; pronounces it clean if OK; sends it back with “issues” if such are found.
- If issues are found in OSRM-approved code in the future, that’s OSRM’s problem – upon approval, they give indemnification.
- NOTE: The above does not address the issue of folks who grab the raw Linux code and compile.
I’m sure I’m missing something, but why not some sort of move where a third-party (OSRM, for example) can give blanket indemnification? Instead of each RedHat client (for example) having to apply for this insurance Yes, it could be a bundled cost, but doesn’t that point to the need for something “UL-like” as I’ve pointed out?
People who run Linux that is not UL-listed, well, same as building your own power strip.
Your house may burn down.
If it does, you don’t have a recourse.
Which is fine – keeps choice open, but protects those (yes, at some cost) who want protection.