Developing a Corporate Open Source policy

Latest response

Does Red Hat have any guidelines on what to discuss or consider when developing an Open Source policy? The areas that I believe we need to address are:
1) If we ship a product that includes open source components, and need to backport a patch to an unsupported tool (for example, if we have a customer still on RHEL 3), we are of course bound by the license of that given tool (i.e., GPL Version 2). However, any source code modifications made by a corporate developer is till owned by the company, so it would still essentially require authorization by the company to release the source. Therefore it would be prudent to include in the policy document either a statement giving blanket authorization, or a statement requiring prior authorization before making changes on a GPL'd product (depending on the comfort level of the company).

2) Regarding use of Open Source internally: The company will need to balance the needs for support (so a statement that says "only open source products that have available external vendor support are permitted"), or a blanket statement authorizing the use of any well-vetted open source product, or something in between.

So my question: is there any sample discussion guidelines that has been developed for use in creating an appropriate policy for corporate use? Or actual examples of well adopted policies?

Thanks.

Responses

From the GPL2 COPYING file:

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

Your company does not "own" the modified source. Before distributing and publishing it, a QA review might be done to make sure that the published modifications are ok (just like you would like to do for closed source software).

Regarding the selection of open source software. Did you have a look at QSOS (Qualification and Selection of Opensource Software, www.qsos.org)?

Legally, the company does own the modifications to the source. The GPL doesn't give automatic copyright assignment -- it just gives an obligation to release the source (if and only if the binaries are distributed). But that obligation does not grant legal permission for anyone else to release the source except for the copyright owner (in this case, the corporation an employee works for) -- and, if the copyright owner is following the license, they will release it under the GPL too, or be in violation of the license.

What I'm getting at, is even though my boss tells me to modify a GPL'd program, that doesn't explicitly give me the authorization to distribute the source -- and that is what a blanket corporate open source policy should do, is clarify that authorization. And a policy that covers this serves as an education tool for those in the corporate structure that aren't familiar with the licenses and terminology. I'm just looking for existing examples of such policies so that I can take this to the next staff meeting and bring this up.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.