Did you know that most open source lawsuits target embedded systems?

A brief history

In 2007, Verizon was sued for including General Public License (GPL) code in its FIOS routers.
As part of the settlement, Verizon subcontractor Actiontec paid an undisclosed sum to the developers of BusyBox (a set of GPL Unix utilities). Actiontec also agreed to post the code on its website and appoint a compliance officer for open source.
More than a dozen consumer electronics manufacturers — including Best Buy, Samsung and JVC — were also sued in 2009 for violating the GPL. More recently, VMware has been sued for including copyrighted Linux code in its embedded ESX hypervisor.

IoT-1

legal-1

What's required

It's common to assume that open source code is in the public domain and therefore not subject to any copyright.
But open source code is copyrighted, which means you can only use it with permission of the copyright holder. In many cases, this can simply mean including the license text and copyright notice with the code.
Some of the more popular licenses (including GPL) also require you to provide source code upon request. You may also be obliged to publish any proprietary modifications to the code you developed yourself.

Consequences of non-compliance

Ignoring license compliance can be disastrous for you and your company. Your company can be shut down with court injunctions, tied up with costly legal proceedings, and forced to undergo code audits. You can even be obliged to reveal proprietary source code.
Other potential consequences include creating major roadblocks when your company is being acquired or wants to license your product to a strategic partner.

non-compliance-1

“Manufacturers should subject IoT devices to a rigorous SDLC process, including maintaining an inventory of embedded open source components.”

Online Trust Alliance, IoT Trust Framework

manual-1

Manual approaches are ineffective

Legal departments typically require development organizations to track open source usage so they can monitor compliance with various types of open source licenses. In some organizations, this is accomplished by asking each developer to manually track embedded components in shared documents such as spreadsheets.
In addition to being an inefficient use of developer time, this approach is rarely accurate and complete. Modern development environments are dynamic and complex, especially in companies with globally-distributed teams. This complexity is further increased by the need to also track all dependencies in your code — many of which may have different types of open source licenses.

A new way forward

Developers and legal teams need an easy way to track open source licenses in an automated way that integrates with existing workflows.
They need a next-generation approach that’s robust enough to handle the complexity and constant change of modern development environments, without requiring manual tuning and onsite consultants.

forward-1

Want to see how our simpler approach works for you? Sign up for our free code security audit.

Free Code Audit