Linux resellers are not especially eager to tackle the question, but they know it lurks just over the horizon, thanks to the filing of the SCO-IBM lawsuit earlier this year. Ever since then, chief information officers have been reading that they could be vulnerable to future litigation for using open-source software.
None of this has escaped the attention of Microsoft and other like-minded suppliers of proprietary software. They are making sure customers know all about the protection plans they offer in the event that a company winds up in this sort of legal bind.
But when it comes to the indemnification question, the Linux crowd is ducking the issue. Not SuSE Linux, not Red Hat--not even IBM, the biggest Linux reseller of them all--says it plans to extend an indemnification umbrella to its customers.
"It's one of those things we revisit, but at this juncture, we haven't seen a need to make changes with regard to that," said Mark Webbink, Red Hat's general counsel.
"There's a cost to that," he continued. "I asked at a conference of lawyers last fall for a show of hands who'd be willing to pay more if they had indemnification. There was silence and then laughter. It was overwhelming. A lot of customers will act like (indemnification) is a big deal, but is it a big enough deal to pay?"
I suppose that's the $64,000 question--though you can add a few more zeros if SCO prevails. For the record, this still remains in the realm of the hypothetical. All we've heard publicly is one side of the story, because SCO has chosen to try the case in the media while IBM has remained silent.
But the indemnification question touches on a larger issue: Most organisations don't have the skills or resources to determine whether they are at intellectual property risk when they adopt a software application for their business. Essentially, they're buying something on faith.
A regular review of the code is going to be part of any software company's routine. No matter how difficult or expensive, it's a necessary precondition for a development company to have the confidence to offer indemnification in their license. Otherwise, it's an open invitation to financial disaster.
Needless to say, neither SuSE nor Red Hat has the financial wherewithal to offset the potential liability expenses that its customers incur. But even IBM isn't ready to back Linux the same way that it backs home-grown applications such as DB2.
"Linux is open-source code and freely available from many sources," an IBM executive confided. "With DB2, it's our software and the terms and conditions of the contract (that) make clear the level of indemnification."
The implicit message is that IBM will vouch for what it develops from scratch, but that it isn't willing to make the same claim for what comes out of the open-source community. Can you fault Big Blue? The assumption it's making is that the open-source community is too large and disorganised. If you didn't start tracking a piece of code from the beginning, who knows where it's been?
Larry Singer, the former CIO of the state of Georgia and now an executive at Sun Microsystems, says that information would have been enough to kill any pending deal. "My attorney general would have choked me if I exposed the state to that kind of legal threat," he recalled.
A lot of other information technology managers are more willing to take that plunge. But as the IBM-SCO spat is headed for the courts, the more immediate uncertainty for CIOs is the kind of support that they can count on in a crunch. In an uncertain environment, with lawsuits now more than a passing possibility, indemnification becomes a lot more than just another selling point for Linux.
Response sent to Charles Cooper
To: charles.cooper@cnet.com
Subject: re: The next big Linux controversy
Charles,
an interesting read. I've heard many reviewers trot out similar claims about indemnification.
I beg to differ with the conclusion presented however.
You somehow seem to imply that having a vendor (for example Microsoft) provide a user with platform software, will protect that user against any 3rd-party IP claim made against that vendor's software that the user is using.
This is a quite spurious assumption, and it is incorrect. I would suggest you read licences, such as Microsoft's EULA, which explicitly deines any such protection.
Let me quote from the EULA for XP:
"YOUR EXCLUSIVE REMEDY. Microsoft's and its suppliers' entire liability and your exclusive remedy shall be, at Microsoft's option from time to time exercised subject to applicable law, (a) return of the price paid (if any) for the
Product, or (b) repair or replacement of the Product, that does not meet this Limited Warranty and that is returned to Microsoft with a copy of your receipt."
...
"ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THE PRODUCT."
...
For more information, see:
http://www.cybersource.com.au/cyber/about/comparing_the_gpl_to_eula.pdf
Yes, the GPL makes similar claims, but at least as a user you are going in with both eyes open, knowing that they do not indemnify you against possible 3rd party IP claims. Your piece on CNET implies that under similar circumstances, Microsoft would. I can't see how you make that claim.
I would be happy to receive your analysis of this disjunction of perspective between us. If I'm right, I would welcome an updated column from you on this topic.