Linux and the Developer’s Certificate of Origin

Sitting in his bedroom, writing code for what he would eventually call ‘Linux’, it is now clear that the then 19-year-old Linus Torvalds was laying the foundations not just of the world’s fastest growing operating system but also of years of legal disputes.

Richard Stallman – the open source guru who authored GNU (the Unix-like system that eventually formed the upper level of Linux) in 1984, seven years before Torvalds’ work on the kernel – seems to have thought so. According to informed sources, Stallman, an expert in patent and copyright law, believed from the outset that each new line of Linux code would have to be accounted for.

Perhaps Torvalds was just a naive teenager, or perhaps he simply could not have conceived that his contribution would one day be adopted by major enterprises, but the young programmer did not appear to acknowledge the intellectual property minefield that he was stepping into. He established a loose system of contributing to Linux that allowed individuals to add code without promising that it was their own work. For years, that liberal approach worked well, lowering barriers to people wishing to join the community. But it was a system that always appeared open to abuse.

Perhaps Stallman was not surprised when a small software company called SCO, which owns the rights to a particular version of Unix, sued IBM in March 2003 for allegedly copying chunks of its technology into Linux. (SCO went on to launch lawsuits against two Linux corporate users, automotive giant DaimlerChrysler and car-parts supplier Autozone, earlier this year.)

Since SCO sued IBM, the blossoming Linux ‘industry’ has been striving to close the loopholes. In July 2003, for example, Sun Microsystems began offering Linux customers a legal guarantee that protects them from potential IP lawsuits in the future. Other suppliers, including Hewlett-Packard and Novell, subsequently followed suit. But the guarantees are not cast iron: they typically become invalid if Linux users make changes to the source code, for example.

A fighting fund for users sued for deploying Linux was also established by some major IT companies. But critics said the fund would be big enough to fight only a handful of legal battles.

Then last month, Torvalds, head of the Linux development process, and Andrew Morton, head of production maintenance for Linux, introduced the ‘Developer’s Certificate of Origin’ (DCO). It was perhaps the most significant move yet in the post-SCO attempts to resolve Linux’s legal problems.

Under the DCO, which is being administered by the Open Source Development Labs (OSDL), an industry alliance, developers must put their name beside code that is integrated into Linux. About time, say critics of the open source contribution process. The DCO simply adds another layer of protection to a tightly regulated process, retorts the OSDL.

Paula Hunter, the OSDL’s director of business development, acknowledges that the DCO is the first official certification of its type. But she stresses that it is really just another evolutionary stage in an already-rigorous process of source code submission. She says that meticulous procedures have always been in place for analysing, accepting and adopting new Linux source code.

But not everybody in the open source community agrees. Bruce Perens, co-founder of Software in the Public Interest, an open source development organisation, believes there are loopholes – and proprietary software companies will continue to exploit them, justifiably or not. “They see the absence of central ownership for Linux as a gap that allows them to pick off open source developers individually, with little threat of a concerted rebuttal. Think of this as a ‘death by a thousand cuts’ approach to stalling the free software movement,” Perens wrote recently.

Torvalds, Stallman and others who embrace the sharing spirit of the open source community say the communal approach to source code development produces more reliable, bug-free software than proprietary software. It would be a shame to let a few lawsuits bring this movement crashing down, they say. They may have a point. But IT directors do not expect to be sued for using an open source software programme. The DCO is a step in the right direction – albeit a belated one.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics