Indemnification of Software

Indemnification of Software, Part I

By Bill Claybrook
http://aberdeen.com/ab_company/bios/claybrook.htm

September 17, 2003

The SCO-IBM [ http://aberdeen.com/ab_abstracts/2003/03/03030019.htm ] lawsuit has brought to the forefront the issues of software warranties and indemnification. This is, in part, because SCO has made an issue out of the fact that IBM and Red Hat, their partners in lawsuits, do not indemnify their Linux customers against any type of intellectual property (IP) infringement. The reason for no indemnification, the companies say, is that Linux is open source code. No single company provides it. Users understand that there are no warranties with open source code, and the users would have to pay for them if there were.

Most proprietary software companies provide some form of limited warranty that guarantees that they will fix bugs, etc. However, not all proprietary software companies indemnify the software that they produce for all users. One theory is that Microsoft and other companies offer indemnification for some products because they know that they will rarely, if ever, have to pay up, and they can say that they indemnify their software.

The use of the indemnification issue by SCO is to try to scare users (companies) into buying a license from SCO to protect them from being sued by SCO. No one that I know of indemnifies Linux or open source code. IBM [ http://aberdeen.com/ab_company/hottopics/ibmlinux/excerpt.htm ] does not, HP [ http://aberdeen.com/ab_abstracts/2001/09/09010004.htm ] does not, Red Hat [ http://aberdeen.com/ab_abstracts/2002/12/12022968.htm ] does not, nobody. And the companies that deliver Linux products make it extremely clear that they do not. For example, HP's software warranty for open source software clearly states "HP disclaims all warranties with regard to open source software, including all implied warranties of merchantability and fitness."

Indemnification is an issue that each company that distributes software, whether proprietary or open source, must deal with individually. Indemnifying software is a complex issue, and does come with a cost - one reason some companies do not do it. This is why you see some companies indemnifying only some of their own software to some of their customers.

This weblog entry is the first of three parts that will discuss indemnification of software, warranties on software, and then some conclusions, with a focus on Linux and open source software. Questions pertaining to these subjects will be included in my upcoming How Fast is Linux Replacing Unix [ http://aberdeen.com/ab_company/hottopics/linuxvunix/default.htm ] project.

5:03 ET

Indemnification of Software, Part 2: Software Warranties - Open Source

By Bill Claybrook
http://aberdeen.com/ab_company/bios/claybrook.htm

September 24, 2003

A warranty is a guarantee given to the purchaser by a company stating that a product is reliable and free from known defects and that the seller will, without charge, repair or replace defective parts within a given time limit and under certain conditions. When it comes to software warranties, the Open Software License [ http://www.opensource.org/licenses/osl.php ] clearly states that the entire risk as to the quality of the software is with the user.

Generally, there are no warranties on open source software. Users who use open source software are doing so at their own risk. When a piece of open source software is created and put out there for people to copy, distribute, modify, etc. within the rules of the particular open source license, such as the GPL license, the people are generally using it without a warranty. There is nothing in the GPL license, however, that prohibits offering warranty protection for a fee, nor is there anything that prohibits you from charging as much as you want for distributing open source software.

HP's software warranty for open source software clearly states "HP disclaims all warranties with regard to open source software, including all implied warranties of merchantability and fitness." Similar statements can be found in other companies large and small that offer open source products or products containing open source software.

What are the differences between companies such as HP, IBM, and Microsoft that develop and sell proprietary software with Third Party software included and companies such as Red Hat and SuSE that sell Linux products that include components developed by other open source organizations or individuals. Generally, the following statements hold:

1. Proprietary software companies do not warranty Third Party software. Users are referred to the Third Party software license agreements.

2. Companies that sell Linux products provide bug fixes and support for the products that they build and sell as covered under their limited warranties, but the open source components in these products that are developed by others are provided and licensed "AS IS" without warranty of any kind.

How important is it to have warranties for open source software? Does the nature of open source software make warranties unnecessary? In the last part of this three part series on software indemnification and open source software warranties, we will give our opinion.

11:09 ET

Indemnification Of Software, Part 3

Warranties and Indemnification of Software

By Bill Claybrook
http://aberdeen.com/ab_company/bios/claybrook.htm

September 29, 2003

In this piece I focus on warranties for open source software. Warranties and indemnification are not the same thing. Indemnify means to compensate for loss, damage, or expense incurred; to give security against future damage or loss. A "warranty" is a guarantee given to the purchaser by a company stating that a product is reliable and free from known defects and that the seller will, without charge, repair or replace defective parts within a given time limit and under certain conditions.

Most proprietary software companies provide some form of limited warranty that guarantees that they will fix bugs, etc. HP's [ http://aberdeen.com/ab_company/hottopics/linuxenterprise/default.htm ] software limited warranty is typical of many companies that produce proprietary software and distribute other vendors' software with their products. The company's software limited warranty is expressly limited to the HP owned software portion of the HP software product. It states that "the warranty for any other software portion of the HP software product ("Third Party" software), if any, shall be governed by the warranty terms provided with the Third Party software." HP's limitation of liability statement goes on to include the sentence "your use of the software is entirely at your own risk."

Companies that sell Linux products provide bug fixes and support for the products that they build and sell as covered under their limited warranties, but the open source components in these products that are developed by others are provided and licensed "AS IS" without warranty of any kind. When Red Hat [ http://aberdeen.com/ab_abstracts/2002/12/12022968.htm ] sells Red Hat Linux or SuSE sells SLES, they have many open source components developed by others that very likely have no warranties and Red Hat and SuSE do not guarantee to fix problems that occur with those components that they did not develop.

As an example, Red Hat's limited warranty (for Red Hat Linux 7.2 Standard Edition) says that Red Hat Linux is a modular operating system made up of hundreds of individual software components, each of which was written and copyrighted individually. The components are collectively referred to as the "Linux Programs" or the "Software Programs" in this warranty statement. Each component has its own applicable end user license agreement. The Red Hat limited warranty says that unless otherwise stated in the Red Hat License Agreement, the Software Programs are provided and licensed "AS IS" without warranty of any kind, either expressed or implied.

But how important is it to have warranties for open source software --- the kinds of warranties that guarantee bug fixes, new releases, etc? Most of the important open source software packages in use with Linux today such as Apache, MySQL, Samba, Sun Grid Engine, and hundreds of others are not developed by individuals working in the far reaches of the Yukon. Most of these packages are developed by organizations or companies, in some cases, that monitor and control the releases, control the bug fixes that are incorporated, and so on (Linux is a prime example). The products are developed in an organized manner with highly skilled development teams using leading edge tools, and in some cases the developers work for large companies like HP [ http://aberdeen.com/ab_company/hottopics/linuxenterprise/default.htm ], IBM, Sun [ http://aberdeen.com/ab_company/hottopics/linuxenterprise/default.htm ], and others with an expressed interest in Linux and open source software.

The open source development methodology fosters and encourages collaboration across organizations and companies, whereas proprietary software generally does not. So when a company is using MySQL or using Apache or using Linux, they can be guaranteed that there is a development team in charge so that the best product possible is made available to the open source community, and if there is a bug in the software, the development team or someone else in the open source community will have a fix for it, just for the asking.

If a company is selling Linux and/or open source products, should that company at least provide some type of limited warranty even if the developers of the code do not provide warranties? I suppose the logical answer would be yes. But based on the commentary above how important is it? Open source software offers benefits to users that proprietary software does not offer. If users want those benefits, then they will accept open source as it is. If they don't, then that will be the real test for Linux and open source.

10:23 ET

The Lack of Open Source Warranties, Revisited

By Bill Claybrook
http://aberdeen.com/ab_company/bios/claybrook.htm

October 23, 2003

To gain more insight into proprietary software warranties and the lack of open source warranties, I spoke to Red Hat and SuSE.

Open source warranties do not exist. Users of Red Hat Linux [ http://aberdeen.com/ab_abstracts/2002/12/12022968.htm ] and SuSE Linux do not buy software licenses. They are free. But companies such as Red Hat and SuSE do sell maintenance and support contracts that provide the same type of support that proprietary software vendors provide with respect to resolving software problems. With either proprietary software or open source software, users pay for support, directly or indirectly. Users who download open source software from the Web do not pay for support. Rarely, if ever, is support provided for downloaded, free software. Users of open source software, however, often have options for the level of support that they desire; whereas, a proprietary software license is usually a fixed price per CPU, number of users, etc. Generally, proprietary software vendors offer more comprehensive software maintenance and support than is provided via the software license, but at additional costs.

Generally, the following paragraphs describe how Red Hat and SuSE handle support for software problems. A problem occurs when software does not work according to its documentation and specification. When a problem occurs, Red Hat and SuSE respond as quickly as possible to resolve the problem. In no case does a user have to directly contact any open source developer or organization. If the problem is with Red Hat or SuSE developed code, then their developers create a patch for the user. When a problem occurs with "third party" open source code, they look internally to determine if the bug is a well-known one. If it is, then they create a patch, one may already exist.

If the problem is with open source software such as Apache, then there is a good chance that Red Hat and SuSE has one or more developers who are regular contributors (both companies do have contributors) to Apache. They create a patch for the user. If it is not a well-known bug, then they replicate the problem and work within the open source community to determine if someone has had this problem. If there is a patch available, then they test the patch and bring the patch to the customer. If there is no known solution or the patch is unsuitable, then they may work with the developer of the software to create a patch or they may create the patch themselves.

Except for the way a software problem is resolved and cost (of proprietary software license versus open source support contracts, there is little difference between a proprietary software limited warranty and an open source support and maintenance contract. They are both designed to resolve customer problems. When you read or hear that open source does not have warranties, you understand correctly, but open source vendors do provide maintenance and support contracts, usually at less cost than proprietary software licenses, that perform the same function.

2:26 ET