Gartner notes that 85% of companies are now using Open Source, yet 69% of them lack a formal Open Source policy, hence opening the door to “huge potential liabilities for intellectual-property violations”. Glyn Moody and Matt Asay righteously start bashing the report, noting how IP violations are not a big deal once you take FUD away. End of story? Not really...
Having not read the entire report, it's hard to me to judge whether Gartner is completely missing the point, still I'm very uneasy with the numbers just posted and I believe that 69% should raise more than an eyebrow. Yes, IP violations can be a minor issue for a vast majority of Open Source users (though they can easily be a huge problem in very speficic cases), but that shouldn't be an excuse to avoid Open Source policies altogether as there is so much more in controlling and governing software, especially Open Source: blogging on FOSSBazaar is preaching to the choir, yet I find hard to believe how companies can be paranoid as a Kafkian bureaucrat in accounting for toilet paper suppliers, yet relaxed as a hippie commune when it comes to basic rules about what is running on their systems.
At Sourcesense we run Open Source assessments for a living, with the main objective of capturing Open Source usage in large organizations. We consistently hit the blank stare moment from CIOs as they notice how much software is running on their systems without them knowing a single thing about it. And, guess what, despite the blank stares, very few are concerned about IP violations as they realize they have more important reasons to be worried.
At the end of the day, what matters is realizing that your security team is unable to tell whether a system is vulnerable, as an advisory related to the Foo library version 1.7 goes beyond the radar given that no one bothered to notice how framework Bar is heavily relying on Foo 1.7 to do its job. What's important is understanding how suboptimal it is having twelve different version of <insert your famous Open Source library here> lying around fifty or so corporate projects who happen to share the same environment and behave funnily at times. What matters, at the end of the day, is knowing what is running the IT side of your business at any given minute so that you can make informed decisions. Yet, most Open Source governance arguments are centered about the IP bogeyman or, if we're overly lucky, about enterprise support, runtime issues and throats to choke.
I hate FUD with a passion. There is a subtle difference between barking at the wrong tree and crying wolf: it will be a great day when we will be able to have a relaxed conversation about how Open Source is changing the software acquisition model, and how complex endeavors such as big corporation can leverage the Open Source advantage yet adopt some simple and effective policies to be in control of their IT. And, in some edge yet important cases, of their IP as well.