Properly Contributing to Open Source While on Company Time?

egeorge asks: "I was wondering what kind of paperwork/policies developers have at their jobs concerning contribution to open source projects. I develop software at a company that derives almost its entire revenue from software. Some software is licensed to customers, some is run internally in a service model, but the software is our whole business. We have recently been doing more and more modification and customization of open source products, and we would love to give some of this back. As developers, though, some of us are a little hesitant to just start flinging code that technically still belongs to the company out into the world. We want to make sure we get clarification about what is or is not covered by our NDAs. So, what kind of procedures do other developers have to go through to get adequate coverage for Open Source submissions? I would like to suggest a policy to my superiors, and could use a few good suggestions."

Copyright

[krisp]

As I understand it, as far as the copyright law goes, if you create it at work on your companies' computer, the copyright belongs to them.

before the brainless GPL zelots jump on him..

[autopr0n]

keep in mind the GPL allows for internal use of modified software without releasing the source code.

Are you modifying/shipping Open Source?

[stevew]

The first question that needs clarification in my mind is - Is your company distributing open-source code that they have modified?

If that is the case - then if it is GPL'd code, you need to release it according to the license. If it is a BSDish license that isn't the case.

Probably the best piece of advice - get your company to emit a policy on the subject. You may not like the results, but at least it will be a definitive answer.

Justin Frankel

[Transient0]

I think Justin Frankel [slashdot.org] would tell you that you can't ever be sure that you have any creative control over what you are doing on company time.

The only ways to remain certain that you have complete control are to either work on your own or with a small group in a small company and then leave as soon as they get bought out by the big guys.

Well

[drinkypoo]

IANAD (Developer) but it seems to me that you need to have a contractual agreement with your employer to allow you to contribute code written on company time back to the particular projects on a case by case basis. You are most likely to succeed if you go to them and say, "I have been downloading, customizing, and using these GPL packages, these are the nature of my customizations (...) and I would like to contribute the code back so that it can be reviewed and improved upon by others rather than by me."

Ultimately, anything you've done on company time is owned by the company, and you have no rights to it whatsoever, NDA or no. Your contract may grant or revoke various rights, of course, where not prohibited by law. But I would definitely go in assuming that all that code belongs to the company and you have no right to distribute it without formal written permission.

Re:Simply put: I DO

[dreamchaser]

Because you are doing it on their time, not your own.

Re:Simply put: I don't.

[Ngwenya]

I'm a consultant, paid for my time and the IP I develop. I would not dare to risk cross-contamination by doing anything more than downloading and using open-source packages at the office.

Clearly that is your right - but I would venture that you are losing (or at least lowering) one of the essential values of Open Source: the ability to lower support, development and maintenance costs by having them amortized amongst the various businesses that to whom you might consult.

Moreover, I have yet to see a reputation tarnished by having contributions accepted to high calibre projects in a peer-reviewed manner.

When you mention cross-contamination, do you mean that you fear that you might put a client's IP into software which you subsequently release? Surely your client would have the right to refuse publication rights for the code (since the IP wasn't yours to give away)? Speaking flippantly, is it that you figure Open Source stuff would get you found out more quickly than a release of closed source kit? :-)

--Ng

Re:Why Open Source is bad for you

[BrynM]

THIS DOCUMENT CAN BE RECOPIED AND REDISTRIBUTED WITHOUT RESTRICTION, HOWEVER ADDITIONS/MODIFICATIONS/CORRECTIONS SHOULD BE LABELED AS SUCH WHERE THEY OCCUR.

So are you saying that this document is Open Source/Public Domain? By your standards, I shouldn't have wasted my time reading it then and someone shouldn't have wasted their time writing it. Though it may have very important points, the stance of the document reeks of FUD.

By the way, who is "The open source organization"?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Lawyers

[truthsearch]

Considering it's a software company, hire a lawyer. Developers alone should not be making these decisions where a company's fate is at stake. Hire a law firm who specializes in software and/or copyright, go over everything with them, and then make up policy. It's not smart to not consult a lawyer in this case.

Re:Simply put: I DO

[Ngwenya]

Well, sometimes I will be working with a OSS software package and I see a way to make a little change to make it better, or fix a bug. Why should any employer/client worry about that?

Vicarious liability, for one reason. Your employer (in most jurisdictions) is at least partly responsible for your actions whilst you are in their employ, and on their time. It hardly seems fair for them to be expected to assume liability without having the capacity to mitigate it, does it?

And all the disclaimers in the world won't help you if a case can be made for malicious code being deliberately released - your company would still be accountable.

--Ng

Merging

[EnglishTim]

I would have thought the best approach is to suggest that you submit the patches so that you won't have to go through the pain of merging your changes in every time you want to get a new version of the software. If you phrase it as something that will help your productivity, I'd have thought they'd be much more likely to agree.

Don't RANSACK THE COMMONS

[Anonymous Coward]

Gates has already done that.

If you and/or your company are using OpenSource/GPL software in a beneficial way and you make improvements to the GPL code it would be in your/your companys interest to release your improvements to the community. After all, if you grazed your cattle on the commons would you sell the fertilizer back to the community that gave you free grazing priviliges or would you leave it on the commons to fertilize the grass so other cattle have grass to graze? Gates would collect it as "IP" and cash in, but are you that kind of person? Is your company that kind of company? (Selfish and Greedy)

In other words, if everyone took and took and took, but no one returned, GPL software would be less significant than it is today. So, leave your 'propriatary IP' attitude behind or stop using GPL software. If you want to sell your "IP" don't use GPL code in it.

Freely you recieved, freely give.

Can't you just use

[vasqzr]

Can't you just use a psuedonym? I mentioned this in another post.

If the patch or software is released by "Thor the C Coder", who's the wiser?

Re:on your company's computer?

[shakah]

..., but I wouldn't expect this to be measured by whether you're using the company's computer, ...

It certainly would be a major factor if and when a company tried to assert copyright ownership to software created by an employee, along with things like whether the software in question was developed during business hours.

Re:Simply put: I DO

[1u3hr]

And all the disclaimers in the world won't help you if a case can be made for malicious code being deliberately released - your company would still be accountable.

Legally sound, but immoral and practically insane. The same argument could be made for preventing you from doing almost anything you don't have to do, regardless of how public spirited.

And in particular, when in the history of this world, has "malicious code [been] deliberately released" as part of an OSS?

The upside for the company is an increase of good will, which transates into sales.

Re:Why Open Source is bad for you

[ThogScully]

I feel like a fish catching a hook, but I'll reply for a bit. First off, this is off-topic. This story is about someone using opensource software in business services and wondering how to contribute changes/improvements back to the community while keeping his company's IP separated.

Second, open source models for profit are not based on the sale of the software, so since opensource companies don't sell their software, don't assume they aren't profitable. You don't credit Red Hat and Caldera with any development, but they most certainly do contribute and make their money off of both support and the package they sell their OS in. They prepare everything for a user to have a complete OS and that requires many tweaks to everything for uniformity and integration. They also develop and maintain OS updates as patches become available so their users can update their systems.

Your discussion against why opensource software is not better than commercial is only in talking about how gcc is not up to par with commercial compilers, but you haven't proven that point. As a cross-compiler, I'll bet gcc is probably one of, if not the, best out there. I guess it won't compile as well for a P4 as an Intel designed P4 compiler, but those details are tough to notice and not so applicable. Then your argument here trails into how there aren't enough qualified contributors in the opensource world to make competitive software, while I would suggest that there is more qualification in the opensource world. Since you didn't support your argument, I won't support this to save space and at least match the convincing-ness of your argument.

You say that opensource software was not responsible for the internet's success, but open protocols were. The first step was open protocols with clear definitions. The next was software to implement them, which is still largely opensource. Apache, BIND, sendmail are always at the top of the list and I promise if you turned off every Apache, BIND, and sendmail server right now, you wouldn't bother trying to use what's left of the internet.

By the way, how does Netscape's contributions to opensource help them make a profit? I've never felt inclined to buy Netscape's enterprise servers simply because I use Mozilla.

And this document won't be recopied or redistributed by me, as I'm not as willing to make a fool of myself like you have. But then again, I did bother to write this long reply.... oh well.
-N

Re:Simply put: I DO

[GoofyBoy]

Then you should have no problem in formally writing up to them what you plan to return to the Open Source project.

Outline exactly what you intend to send the maintainer and why it benefits your job/the company.

Just don't do it because you can't see why you shouldn't. Your boss might have a different opinion.

Re:LGPL

[Anonymous Coward]

using GPL type of licenced source is a parasite

Well, if you don't like it, don't use it. The GPL isn't parasitic, it stops parasites. If you take, you have to give back (and that isn't even required in case you just use the modified GPL program yourself).

Re:Simply put: I don't.

[Chibi]

What's the problem here if you are paid for your time?

Just bill for the time you put in on submitting patches to GPL/Open Source software.

It's a reasonable expense and you offer a more "standard" industry solution than a near worthless one man spagetti job of code that has no community or testing infrastructure (i.e. many eyeballs)

Try explaining to a client how you just charged them to add some functionality to something that will be used by others for free. It's great karma, but most suits aren't too interested in karma...

Another problem is that most people are more interested in short-term costs. Look at all the publicly-traded companies that will lay off people in order to boost their stocks in the short-term. The only people that really care about long-terms costs are either people in direct ownership or people with some level of perspective. Most grunts these days are probably figuring they won't be around at a specific company for long (whether it's their choice or the choice of someone else). And the best way to look good quickly is lowering short-term costs...

Re:Simply put: I DO

[dreamchaser]

Not in my experience. Some do, some don't. Many people don't even have contracts, but company policies usually exist regarding IP that is produced while employed at said company.

In some cases those restrictions even extend to one's free time. If you work for a company that develops software and decide to write some OSS on your own time, you could very well be putting your job at risk.

The moral: read the fine print before signing and/or going to work someplace.

Re:Why Open Source is bad for you

[Zathrus]

It is easy to see that the foundation of the Internet was built on open protocols.

Factually inaccurate.

Yes, IP, TCP, and UDP are open protocols, as are most of the protocols built on top of them (telnet, ftp, dns, etc).

But the single most prevalent TCP/IP stack, from which virtually every existing TCP/IP stack is inherited, comes from BSD, which is open source. In fact, the litmus test for being able to connect to the Internet was whether or not you could communicate with a BSD stack system, not whether or not you complied to the published RFCs. BSD's stack did vary from the RFC in some cases, and if you actually wanted to work you'd better comply to those changes, not the other way around.

Of course, Microsoft is now the dominant TCP/IP stack. But that's ok - it's BSD based. If you look at the original Winsock32 code you'll find BSD disclaimers all over the compiled code. You won't find it in Winsock16, but then again Winsock16 sucked rocks and didn't work much of the time.

Did some people implement entirely new TCP/IP stacks without use of the BSD source? Sure. But it took far longer to get them working properly, and longer than that to make them efficient. It's very hard to argue that the existance of the freely usable BSD stack was not a large impetus to the susccess of TCP/IP, and thus the Internet.

It [GCC] lags its commercial counterparts in both efficiency and features.

Lags in features? So I suppose it wasn't the first compiler to fully implement the STL in a bug-free manner? Or to implement most features of C99?

Hell, most commercial compilers still have problems with the STL. Few have even begun implementing C99, much less completed large portions of it. Yeah, they may be more efficient, but that means bugger all if they won't compile the code in the first place.

And GCC is the most efficient compiler for a large number of platforms -- probably because it's the only one. Embedded programming has moved largely toward the use of GCC because of reduced support requirements on the manufacturers. And we're talking about a group (embedded programmers) where efficiency is the number one concern.

I'm not a OSS zealot, but I also don't discount its value.

you're so fired

[joe_bruin]

if you were my employee, and you wasted your time writing 'md5deep', you'd be fired. this is a 5 minutes shell script.

md5deep, reimplemented in shell, for your benefit. not tested, i'm sure there are some bugs. yes, it could use refinement, but this is a one minute job.

recursion:
$ find . -type f | xargs md5sum

time estimation:
#on my machine i get about 40 megs per second
#using md5sum (openssl is faster)
echo "`du -sk | cut -f1` / 40000" | bc

Re:Simply put: I DO

[ClippyHater]

The moral: read the fine print before signing and/or going to work someplace.

Or, in my case, thank GOD! that someone FINALLY called me for an interview and hired me: sign nda/what-have-you, and begin working and being paid (hurray!!) again after 18 months. It's a tough job market for some, and we can't be too choosey in what we'll accept in an nda/what-have-you.

But if you want to keep your job, definitely talk over everything that even BARELY seems questionable, even things you consider non-questionable.

Until there's another tech bubble, I'm super-gluing my butt in my cube. I'll retire the day they find my bleached white bones slumped over my keyboard.

Give your software a license first

[chrysalis]

Here's what _may_ work :

Start the project at home, out of your working hours.

Make it GPL'ed. As a public proof, you can release an initial public beta version.

Back to your company, continue to work on the project. Any addition made to it must be GPL'ed as well, isn't it? So even though you are working on it while on company time, you can always release the product as free software.

Contributing work-derived ideas to OSS?

[raw-sewage]

This is slightly off-topic, yet somewhat related... What about contributing ideas or concepts to open source that were developed at your place of work?

A co-worker and I were having this discussion with regards to the SCO vs IBM case: say I'm developing some technology at work, a state-of-the-art journaling filesystem for example. Now I go home at night and work on an open source journaling filesystem. All the code between work and open source projects is separate (i.e. absolutely no code sharing). However, there are certain concepts and ideas that I will inevitably borrow from my work project and put in the open source project.

Now we have a potential SCO vs IBM situation on hand: my company finds out that there is some open source using very similar technology (to their own patented or copyrighted work). My company is going to want royalties for this!

Although a lot of us open sourcers are taking the SCO vs. IBM situation lightly, if it does happen to go in SCO's favor (either by court decision or settlement), it's sets a precedent for companies to go scouring all open source code for possible IP infringement. This will scare corporations away from open source in a heartbeat.

Re:Why Open Source is bad for you

[Tsu Dho Nimh]

"The four primary business cases mentioned by OS proponents are "Selling Support", "Loss Leader", "Widget Frosting" and "Accessorizing.""

You forgot a couple:

1. Making sure of a good supply of poker chips. A healthy OSS movement is a good bargaining tool in contract negotiations with proprietary vendors.

2. Never having to start from scratch ... it's easier/cheaper/faster to take an OSS program that is almost what you need and customize it then to start from scratch and write virginal proprietary code.

It is very hard to convince qualified engineers that they should do such boring and unglamorous work without any sort of financial reward. You are oblivious of the large numbers of well-paid programmers who work on OSS projects as a part of their regular employment, and those that specialize in customizing OSS for their clients. It's financially as rewarding as coding proprietary software.

Re:Simply put: I DO

[Narcissus]

I guess that all depends on the situation. I work in a relatively small IT company (150 - 200 employees) and we started using an OS project inhouse.

We started to make changes and were wondering about what to do with them. Not a problem, I emailed our department manager and the CEO and told them what we wanted to do.

I now have an email direct from my CEO allowing me to release any code I see fit for that project.

I figured that it would be easier to get permission beforehand than trying to explain it all once someone questioned it...

Re:Simply put: I DO

[Anonymous Coward]

So what? His company is benefitting from the use of OS software, so why shouldn't they give back any improvements they make in return, instead of the usual license fee they would otherwise have to pay for that software? Free as in speech, not beer, get it?

My experience

[harikiri]

In all of the environments I've worked in (been in security industry 4 years), the people have been pretty aware of open source/Linux and have been positive about it. Most are willing to consider your request that certain source code/libraries/scripts you develop be made publically available.

However, this needs to be clearly defined in your original NDA. If you are considering commencing work that might be useful to the open source community, you might want to get your current NDA re-negotiated so that you can get sign-off from your company to release "authorised" components on a per-case basis.

The main thing that companies will be afraid of is liability and losing face if the product/code/etc is found to be faulty. Most of the boiler-plate open source licenses [opensource.org] out there cater to this, by stating that the product is not guaranteed to be fit for any purpose, and that by usage the customer/user takes on all liability themselves:

(Example, BSD license)

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

As a developer you also can make this easier by separating components of your software, making them modular. So that one library that does one thing in a useful way (but nothing especially proprietary) can be distributed, but another library that does some funky stuff on their proprietary application/database remains closed.

NOTE: I am not a lawyer! ;-)