Hewlett-Packard is taking a giant leap into the field of open source governance -- the managing of free software within corporate systems -- with three announcements today. FOSSology, an open source project for the development of governance and FOSSBazaar, a Web site to focus discussion about governance, are being development with open source corporate partners, while the Open Source Health Check is the name for HP's own collection of governance consulting services.
The projects and services are the direct result of HP's involvement in open source software over the last seven years, according to Doug Small, director of open source and Linux strategy. HP has a long history of support for free and open source software, both in printers and in servers, where, for the past two quarters, more than 22% of shipped units and 17% of the company's server revenues have come from GNU/Linux.
In addition, Small says, "We use open source in our own IT within the company for general purposes. We also buy software that includes open source in it, and we ship software and hardware that includes open source code in it. And as we started getting more and more business in this area, we developed automated software tools to help us understand where we were using it and where the licenses were. We also developed processes to help us understand what we were doing inside the company. And we've been doing that for seven years. And, as we talked to customers about what we've been doing internally, they've indicated an interest and wanted to work with us from a consulting perspective."
It is these internally developed tools and practices that form the basis for FOSSology and the Open Source Health Check.
A growing concern
Small suggests that open source governance is becoming an increasing concern in business today. "What we have noticed in the last couple of years is an increasing number of questions from our customers about governance. Customers are starting to realize that open source software is fundamentally different from proprietary software." Many of its differences are beneficial, Small says, yet "Because it is different, it does start to raise some questions about how to properly govern its use inside an organization."
The main concern is that, because free and open source software is readily available from the Internet, it bypasses the procurement practices and legal scrutiny that proprietary software faces.
"We have engineers building things using open source code, and, as they download that code, they are obligating their company to a legal license that their employers are not aware of and probably don't understand the implications of from an IP protection or legal perspective," Small says. "And, of course, the legal folks are concerned because [the engineers have] bypassed the usual legal process in getting this software. They get concerned. We work with them with some processes and tools, then they can understand how open source is different and can understand how to get its benefits and still mitigate some of the potential risks."
The problem is not just one of education, but of potentially hidden consequences. OpenOffice.org, for example, is licensed under the GNU Lesser Public License. However, Small suggests that just looking at the main license may not be enough from a corporate legal perspective -- he claims that OpenOffice.org has more than 1,700 different instances of open source licenses within it.
"It's not always a case of looking at one piece of code and finding that it has a specific license," Small says. "You've got to dig a little deeper to find the complete set of licenses in use."
The tools and services
With FOSSology, HP is "contributing all our tools to the community," Small says. He describes the project as having a back end consisting of an extensible software framework that has got a Web interface, meta-data database and repository, a scheduler, some open APIs, and an engine to drive the whole thing. Currently, the project has two tools: A discovery agent that finds open source software within source code, and a license agent, which finds licenses embedded in the software. A third agent for detecting code re-use is scheduled for release in the spring. HP will be be contributing regular updates to the databases used by the agent, and hopes that other contributors will start to do the same.
Supporting FOSSology will be FOSSBazaar, a site developed in partnership with the Linux Foundation -- which will have a work group associated with it -- as well as such companies as Google, Novell, and SourceForge (the parent company of Linux.com). The site is intended as a repository for basic education about open source, as well as specific governance issues such as IP risk, license compliance, lifecycle management, and open source inventory, security, and acquisition. Also on the site will be self-assessment surveys designed for business executives and legal counsels.
Karl Paetzel, HP's worldwide marketing manager for open source and Linux, says, "We've got a number of forums with some specific open source topics that we've got lined up, and some of our partners have signed up to dedicate folks in different areas of expertise to manage those forums." He says that these same moderators may also serve as judges for white papers and other items that become part of FOSSBazaar's permanent content. How this permanent content will be licensed will most likely be left to the contributors, he says, although they may be encouraged to use a free content license, such as Creative Commons.
Paetzel says that a major purpose of FOSSBazaar will be education. He describes a one-day workshop on governance as "one of the key deliverables," and hopes that, as participants start to use the site, other educational ideas will emerge.
HP's third governance offering is Open Source Health Check, a series of paid services it is offering to customers, apparently as the next logical step after participation in FOSSBazaar. These services include assessment of existing code, migration to open source software, and current usage, all of which can take from a week to over three months to complete, depending on the size of the company and the complexity of its systems.
Experience and open source
The resources that HP is announcing sound similar in many ways to those offered by other companies in the governance field, such as Palamida and Black Duck Software. Small says, "Our services are distinguished by the fact that we live in this every day. We've got over 60 man-years of development of the tools that we're open sourcing. So any way that you might be using open source or contributing to it, we've been there and used it. We're one of the largest IT vendors in the world, and we've got a lot of experience. We've directly contributed that to our customers."
Small declined to cite specific customers, explaining, "It's increasingly difficult to have customers go public. Our customers view this as a competitive advantage. They're getting a low cost infrastructure. They don't want their competitors to know about it."
However, Small did say that HP has "massive installations across the world that would probably raise your eyebrows in term of Linux penetration that we can't talk to you about."
On the basis of customer interaction, Small says, "We feel that our tools are incredibly complete and innovative in the way that they use different heuristics and so on to identify what some of the gaps are, and we find that, with the combination of our best practices and tool kit, we get excellent responses from our consulting clients. They indicate to us that we have a competitive advantage in this space."