How do you know?
In the war story parts of legal seminars on open source and in my own practice, it is becoming clear that senior managers don't know that their programmers are using open source. This is an especially bad thing when its use is discovered in connection with due diligence in an equity investment, going public, or being acquired. Senior managers are routinely giving representations and warranties in contracts that the company uses no open source, and upon checking they are wrong.What can you do to manage the use of open source in an IT organization?
6 Comments:
A few suggestions for starters.
Institute a periodic review of source code, searching for specific words and phrases that may indicate use of open source. Examples include: general public, GPL, copyright, (c), c in a circle, lesser general, and linking general. There are many other words and phrases that are also useful to search. This isn't a foolproof way to identify open source, but often it is quite effective.
Monitor Web usage at sites such as sourceforge.
Blacklist known open source sites (assuming you don't want to have anything to do with open source -- a position I'm not advocating).
Build a process where the programmer is required as a part of his or her job to fill out a simple form before adding code from any source other than the brain. It would include an identification of the software that it's been put into, a description of the functionality of the code, an identification of any license agreement, a simplified business case for doing so, etc. Arrange for a quick approval/disapproval process to review this form.
I'm interested in the thoughts of others how to control and monitor the use of open source.
It seems ridiculous that anyone would agree to sign something saying they're not using open source software. The simple reason is that OSS is in *everything*.
Think about it, even Windows has open source software and programs within it. The networking stack is almost entirely from FreeBSD. Various tools have their source code "open" as well.
Not only that, but any tool you use today could be open-sourced in the future by the company that makes it (example: Sun is going to make Solaris OSS).
There's just no way to avoid open source completely aside from building your own operating system and tools from scratch.
This is a purely management issue, not a technical issue.
It is reckless for anyone to sign a statement they have not confirmed.
I'd be appalled if my manager had so little idea about the work I do that he wouldn't even know what software I was using - in order to be a good manager, he has to understand the hardware, software, toolset, development tools and methodologies. Otherwise, how can he manage me? Beyond approving my holiday allowance, he is not being a manager at all.
In that case, what is the manager's job description? If he's not expected to know what his staff are doing, and what they're doing it with, that sounds like a very strange organisation, not likely to last long at all.
If he is expected to know, and doesn't, and then gets the company in a mess because he did claim to know, it's time to show him the door.
That is addressing the symptom, not the cause - fix the cause by replacing him with a manager who does understand what his staff are doing - preferably before the ignorant one does something stupid, like sign statements on things he knows nothing about.
It seems to me that this is an issue of having the "point-haired manager" opening their mouth before checking the facts. To confirm something that they obviously do not "know" is stupid and perhaps they should be shown the door.
I know from my own point of view that I use whatever I need to "get the job done", "time to market" is generally the biggest priority and if my PHM makes comments about what he doesn't know, well tough.
Normally where I've seen this issue come up is not from a representation and warranty made by a "manager." It's from the CEO or CFO, or their attorney, who make these statements. Maybe in a larger company it's the person in charge of M&A. It's usually pretty high up in an organization.
From what I've seen, there is a disconnect.
Thinking like a CEO, CFO, or CIO, does use of F/OSS need to be managed? If so, how?
I'm a programmer, not a lawyer, which is probably why your opening statement leaves me scratching my head:
"In the war story parts of legal seminars on open source and in my own practice, it is becoming clear that senior managers don't know that their programmers are using open source."
What do you mean by "using open source", and how can that be a "bad thing"?
I thought about this a bit, and here's my opinion:
The phrase "using open source" could mean any of the following:
1) Using open souce tools, like Emacs, CVS, or the GNU debugger. Your programmers use these tools in their day-to-day work, but it has no direct effect on the delivered software product.
2) Using open source hosting. For example, you provide dynamic web pages with servlets (which your programmers write), running a Tomcat web server and using a MYSQL database.
3) Programmers include "open source" source code not written by them into your product. For example, taking source code from the GNU debugger and including it into the debugger your company produces and provides to customers.
Which one do you mean?
If it's 1), then I don't see a problem. Warranting that your programmers aren't using emacs is kind of like warranting that they all drive American cars. Sure, you could do so, but it has *nothing* to do with the product your company delivers.
If it's 2), then there still isn't a problem. The webserver and database are not being distributed, they are simply being used. The choice to use Tomcat and MYSQL instead of, say Websphere and Oracle, has really nothing to do with the actual programming done (though there are always minor changes if you change databases or something).
If it's 3), then I think you have a different problem. In my opinion, any company that doesn't have a strict, enforced policy on when it is or is not OK to include *any* code not written by the company into it's products is asking for serious trouble. Plagiarism is plagiarism, whether you're stealing from GNU, from IBM, or from the guy down the street. If you're not keeping track of whether your employees are including code they didn't write into your product, then "using open source" is really the least of your worries.
So, I don't see where the problem with "using open source" is. Unless it's in miscommunication.
For example, A CEO might ask the programming managers "Are any of our programmers using open source?" thinking meaning 1, above. The programming managers, realizing that of the three meanings above, only meaning 3 would have any legal repurcussions, assume that that's what the CEO meant, and answer "No, we would never allow that."
While this can certainly be a problem, there's nothing special here about "using open source". Any miscommunication in the chain of management would lead to pretty much an equivalent problem.
Thanks for letting me comment here.
If I'm way off in interpreting the point you brought up for discussion, I'm sorry. If so, could you please explain exactly what you mean by "using open source", and how this can be a problem?
-- Ken
Post a Comment
<< Home