The times are changing: More and more companies are finally taking stock of the open source code embedded in their products. The main driver is to be (finally) compliant with the requirements of the licenses of the open source code. I see three main reasons for why companies are finally shaping up:
- The big OEMs are driving it. Large end-user-facing OEMs have long had good open source governance, including license compliance, and they are finally pushing open source license compliance into their supply chain. In the past, without detailed checking, suppliers could simply promise that there was no open source code or only the declared open source code in their deliverables.
- The Linux Foundation is also driving it. Foundations, in particular the Linux Foundation, are doing a lot of outreach and are pushing initiatives for processes (OpenChain) and tools (many). The Linux Foundation acts as a proxy, mostly, for the big OEMs mentioned above. As a more neutral ground, foundations have it easier to reach companies more remote from the big OEMs.
- Copyright trolls are making many uneasy. Copyright trolls, that is developers with standing to sue companies for violation of their intellectual property rights (as in Linux kernel code) are on a roll and numerous reports about their activities have surfaced. The industry is bracing itself and awareness of the legal risks of not being license compliant are therefore becoming more widely recognized.
Occasionally, due diligence in mergers & acquisitions activities also push (a hasty then) attempt at cleaning up.
There you have. All of this has been long overdue, and it is not clear whether it will ever come to a full-fledged end. Fully cleaning up means reviewing the full history of open source projects, including the Linux kernel, and it is doubtful that this will ever reach 100% clarity. But then, using open source was, is, and always will be an exercise in risk management. Perfection as in absence of risk is not realistic (nor economically sensible).