LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Open Source Risk Management's protection plan

April 21, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

On Monday, Open Source Risk Management (OSRM) put out several interesting press releases. The company has "certified" that the Linux kernel is free of "source code that could provide a basis for meritorious copyright infringement claims." OSRM has also announced the "Open Source Legal Defense Center" (OSLDC) based in Washington D.C., which will offer membership programs for developers and corporations that might find themselves being sued by SCO or another company looking to make claims on the Linux kernel. We contacted OSRM executive director John St. Clair and OSRM director of research Pamela Jones about the announcements. Jones was kind enough to respond to several questions via e-mail, and St. Clair took the time to grant LWN a phone interview.

One might wonder how OSRM could "certify" that the Linux kernel is free of infringement. According to St. Clair, OSRM is not saying that they have proven that none of the code in the Linux kernel is tainted. However, he says that the company has done due diligence and is willing to take the risk of providing legal protection for copyright infringement claims against the kernel. According to Jones:

OSRM's certification can never mean that there will be no claims in the future; it means that they've taken a look and believe the risk is de minimus and insurable, and OSRM is sufficiently confident that it is willing to put its money where its mouth is.

St. Clair declined to provide specifics of the process that OSRM used to research the Linux kernel, but he did say that OSRM has built up "an extensive database of Unix variants... and compared that database against two versions of the kernel, 2.4 and 2.6, to detect matches between those two groups of source code." According to St. Clair, OSRM used in-house technology "unique to OSRM in terms of pattern-matching" and looked for straight text matches and "more obfuscated" code that might be taken from Unix. We asked whether OSRM might release the tools that they used for this research to the community, but St. Clair said there were no plans to do so at this time.

We were also curious how the OSLDC would work for developers, and whether $25,000 would be sufficient protection for developers if SCO or another party were to sue them. According to St. Clair:

This will provide developers, who are off on their own many times, a cost-effective way at $250 to be able to get advice and legal counsel with respect to their contributions to the Linux kernel. Should they be served with a subpoena or other legal action regarding their contributions they would receive up to $25,000 in legal protection from that.

He said that the $25,000 amount should be "pretty sufficient to cover much of their exposure." St. Clair stressed that the OSRM offering is vendor-neutral, and allows developers and corporations to make changes to the code and still receive protection, unlike some of the vendor-specific indemnification plans. He also pointed out that OSRM is not selling insurance, but rather "certifying and indemnifying our work around the kernel and with these clients to provide them an indemnification that we as OSRM have an insurance policy behind us that provides the financial wherewithal to offer that indemnification."

Since much of Microsoft's FUD these days is aimed at convincing customers that the Total Cost of Ownership (TCO) for Linux is higher than for Microsoft products, we asked St. John whether it was likely that their offering would be seen as raising the TCO of Linux. St. Clair said that the Legal Defense Center membership fees shouldn't harm Linux in the TCO discussion. "This is something that end users can choose to have or not have, it's not automatically bundled as part of Linux." Even adding in the cost of OSRM's offerings, St. Clair said that he believes that Linux will still have a lower TCO than its competitors. He also said that OSRM's offerings "put a stake in the ground" to show what indemnification may cost, rather than an unknown figure that opponents may exaggerate when debating TCO.

OSRM is not planning to limit itself to copyright issues or the Linux kernel. We asked whether OSRM was planning to examine other open source software commonly used with the Linux kernel, and whether the company would be expanding its protection to patent issues. The answer is yes on both counts. St. Clair told LWN that dealing with legal issues from patents is "absolutely in our plans," and Jones replied that she is currently doing research on providing protection for patent issues:

Obviously, this is is a very large and complex undertaking that will require help from numerous kernel developers, organizations, specialized technical and legal experts, and hopefully volunteers in the community. We will be asking for help finding and collecting prior art through our new Grokline project, for example, which will go online shortly.

St. Clair said he believes that the SCO lawsuit will go away, but that SCO has "pointed to a potential vulnerability" that will last beyond SCO's suits. He said that OSRM also recognizes a need to go "up the stack" of open source software beyond the kernel that is also widely used. St. Clair said that he could not specify any software that would be covered by OSRM beyond the kernel at the moment, or give a timeline for announcing additional software.

Another area where OSRM is working, according to St. Clair, is in helping companies with risk assessment and developing indemnification programs that they can offer to their customers. He said that OSRM also helps "place their risk with third parties to provide that [indemnification] for their customers."

There is a "heavy amount of interest" in OSRM's offerings, according to St. Clair. It will be interesting to see if OSRM is successful in making a business out of offering indemnification for Linux and open source software, and whether they remain the sole business that offers this service if it proves to be popular.

(Log in to post comments)

What're they selling??

Posted Apr 23, 2004 16:03 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

He also pointed out that OSRM is not selling insurance, but rather "certifying and indemnifying our work around the kernel and with these clients to provide them an indemnification that we as OSRM have an insurance policy behind us that provides the financial wherewithal to offer that indemnification."

I'm going to give Mr Sinclair some leeway because he's speaking off the cuff, but this sentence is grammatical gibberish, and he should refrain from using the word "indemnify" until he learns what it means.

First of all, the direct object of "indemnify" cannot be work or a fact. Secondly, indemnity is practically a synonym of insurance.

You indemnify a person, and it means you assume a risk that would otherwise be his. OSRM is apparently, in exchange for money, indemnifying Linux users against legal costs they might incur based on their use of Linux. I.e. selling insurance.

Sinclair mentions an insurance policy behind OSRM. I assume that's a reinsurance policy, because unless OSRM has a whole lot of assets, its insurance policies wouldn't be worth much without it; if one client has to defend its use of Linux, all of them do.

So the real story here is who's insuring OSRM, and why do they think it's a good risk?

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds