The next big Linux controversy

CNET News.com's Charles Cooper says the Linux resellers' refusal to indemnify customers is bound to increasingly weigh on the minds of CIOs who implement open-source software.

Charles Cooper
Charles Cooper Former Executive Editor / News
Charles Cooper was an executive editor at CNET News. He has covered technology and business for more than 25 years, working at CBSNews.com, the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet.
3 min read
Linux resellers are not especially eager to tackle the question, but they know it lurks just over the horizon, thanks to the
filing of the SCO-IBM lawsuit earlier this year. Ever since then, chief information officers have been reading that they could be vulnerable to future litigation for using open-source software.

None of this has escaped the attention of Microsoft and other like-minded suppliers of proprietary software. They are making sure customers know all about the protection plans they offer in the event that a company winds up in this sort of legal bind.

But when it comes to the indemnification question, the Linux crowd is ducking the issue. Not SuSE Linux, not Red Hat--not even IBM, the biggest Linux reseller of them all--says it plans to extend an indemnification umbrella to its customers.

"It's one of those things we revisit, but at this juncture, we haven't seen a need to make changes with regard to that," said Mark Webbink, Red Hat's general counsel.

"There's a cost to that," he continued. "I asked at a conference of lawyers last fall for a show of hands who'd be willing to pay more if they had indemnification. There was silence and then laughter. It was overwhelming. A lot of customers will act like (indemnification) is a big deal, but is it a big enough deal to pay?"

I suppose that's the $64,000 question--though you can add a few more zeros if SCO prevails. For the record, this still remains in the realm of the hypothetical. All we've heard publicly is one side of the story, because SCO has chosen to try the case in the media while IBM has remained silent.

But the indemnification question touches on a larger issue: Most organizations don't have the skills or resources to determine whether they are at intellectual property risk when they adopt a software application for their business. Essentially, they're buying something on faith.

A regular review of the code is going to be part of any software company?s routine. No matter how difficult or expensive, it's a necessary precondition for a development company to have the confidence to offer indemnification in their license. Otherwise, it's an open invitation to financial disaster.

The implicit message is that IBM will vouch for what it develops from scratch but that it isn't willing to make the same claim for what comes out of the open-source community.
Needless to say, neither SuSE nor Red Hat has the financial wherewithal to offset the potential liability expenses that its customers incur. But even IBM isn't ready to back Linux the same way that it backs home-grown applications such as DB2.

"Linux is open-source code and freely available from many sources," an IBM executive confided. "With DB2, it's our software and the terms and conditions of the contract (that) make clear the level of indemnification."

The implicit message is that IBM will vouch for what it develops from scratch, but that it isn't willing to make the same claim for what comes out of the open-source community. Can you fault Big Blue? The assumption it's making is that the open-source community is too large and disorganized. If you didn't start tracking a piece of code from the beginning, who knows where it's been?

Larry Singer, the former CIO of the state of Georgia and now an executive at Sun Microsystems, says that information would have been enough to kill any pending deal. "My attorney general would have choked me if I exposed the state to that kind of legal threat," he recalled.

A lot of other information technology managers are more willing to take that plunge. But as the IBM-SCO spat is headed for the courts, the more immediate uncertainty for CIOs is the kind of support that they can count on in a crunch. In an uncertain environment, with lawsuits now more than a passing possibility, indemnification becomes a lot more than just another selling point for Linux.