Stenbit tells open-source users: Check that legality

Open-source software should be held to the same levels of security and licensing accountability as commercial software, John Stenbit, Defense Department chief information officer, said in a May 28 memorandum.

"DoD components acquiring, using or developing [open-source software] must comply with all lawful licensing requirements," wrote Stenbit, who is also assistant secretary for command, control, communications and intelligence for the Defense Department. "As licensing provisions may be complex, the DoD components are strongly encouraged to consult their legal counsel to ensure that the legal implications of the particular license are fully understood."

The memo on open-source software use in the Defense Department noted that modified open-source code is "subject to the same license terms and conditions as the regular code." This means that if an agency or integrator rewrites open-source code to add new functionality, the modified code may fall under the same licensing agreement as the original code.

Stenbit singled out the GNU Public License, the license that Linux falls under, as an example of this licensing.

In March, Unix vendor SCO Group of Lindon, Utah, sued IBM Corp., Armonk, N.Y., for $1 billion over misuse of the intellectual property rights to the Unix operating system. The company claimed that some of the Unix proprietary code under SCO's purview that it licensed to IBM was inappropriately added to Linux. In May, SCO warned enterprise users of Linux that they might be held liable for unauthorized use of its property.

Bradley Westpfahl, director of IBM's government industry programs group, could not comment on the suit or on its possible effect on the government customers who use Linux-based IBM solutions.

Stenbit's memo also reminded defense offices that all open-source software, such as commercial software, must comply with requirements set by the National Security Telecommunications and Information Systems Security Policy No. 11. This requires that agencies use only technology that has been validated to meet information assurance requirements for secure networks.

A (PDF) copy of the memo may be found at the Web site for George Washington University's Center of Open Source and Government.