In CIO.com India this week, Bernard Golden touts the advantages of governance for your open source tools -- especially at the enterprise level.
He starts with an anecdote that Sun CEO Jonathan Schwartz shared shortly after the company had acquired the MySQL open source database. It goes something like this: After the CIO of a large financial institution told Schwartz the organization didn't use MySQL because it was a proprietary software shop, a sales associate accompanying Schwartz was able to share that the organization had downloaded the open source database 1,300 times in a six-month period.
The CIO was completely unaware that the application was popular among her staffers, let alone being used in the organization. Golden points out that in such cases, ignorance is not bliss. Ignorance could, in such cases, prove risky -- both in terms of meeting open source license requirements and because it means the CIO doesn't have as much visibility into the organization's infrastructure as she probably ought to have. That's why, he says, companies should have policies in place to address downloading open source programs in an enterprise environment, and they should also implement controls with which to enforce those policies.
I agree. Open source procurement processes are a must. But those processes and controls alone will not always work. Open source will continue to come in an organization's back door, just because it's so easy to get, and because many times, developers who are working on a project don't stop to think about procurement processes before downloading a patch or a component that they need. They just do it.
That's why tools from Palamida and BlackDuck, or even OpenLogic's OSS Discovery, which is being used to compile data for the Open Source Census, can be valuable, and how participation in an open source census can benefit individual organizations as well as the open source community as a whole. Periodically scanning the machines on the network for open source can help CIOs get a handle on what is coming into their organizations and also provide legal with the information they need to make sure the licenses under which various open source programs are released are not violated.
And if, like the one in Schwartz's example, CIOs discover that particular open source programs are widely used in their organizations, they may be able to eliminate proprietary equivalents to those programs and save money along the way.