Linux Customers, Partners Can Ignore SCO-IBM-Red Hat Linux Battle, OSDL Says

In a multipage letter released today, the OSDL asserted that neither customers nor vendor partners face any serious risks using the operating system and that the legal battles will be fought by The SCO Group, IBM, Red Hat and others in a courtroom--not in the marketplace.

"We see no evidence that end users are slowing down their Linux implementation plans because of SCO's actions," said Stuart Cohen, CEO of OSDL. "There is real doubt as to whether end users should purchase a license from SCO."

The OSDL hired Lawrence Rosen, the founding partner of Rosenlaw & Einschlag, a technology law firm in Los Altos Hills and Ukiah, Calif., to respond to customer concerns. Rosen also serves as general counsel and secretary of the Open Source Initiative, which reviews and approves open-source licenses.

In Rosen's assessment, customers face little risk in using Linux.

"Assume the very worst--that SCO wins its case against IBM, and IBM writes a big check for damages. Assume SCO proves that some portion of Linux is a copy or derivative work of its trade secret software. Assume SCO gets an injunction to prevent anyone from using any version of Linux containing infringing code," Rosen said in a statement released Thursday. "Long before that happens, there will be a new open-source version of Linux omitting any SCO code. Noninfringing Linux will be readily available for everyone's free use because the open-source community is entirely committed to Linux."

In addition to calming those fears, Rosen commented on a variety of issues related to the mounting concerns about intellectual property and contractual violations alleged by SCO in a lawsuit last March.

Here are the remaining excerpts from the multi-page statement released on Thursday. The questions were posed by the OSDL and answered by Rosen.

Q: Is this a lawsuit against Linux?

A: No. This is a lawsuit by SCO against IBM, with counterclaims by IBM against SCO. SCO claims money damages for breach of confidentiality and the disclosure of its Unix-related trade secret information to the public. IBM and SCO had an agreement to work together on IBM's AIX operating system. ... Recently IBM filed a countersuit against SCO alleging, among other things, that SCO is infringing some IBM patents, a move on IBM's part to put its strategic patent portfolio to defensive use.

As this Q&A paper is written, the SCO vs. IBM litigation is still in its early stages. If this were a typical federal civil lawsuit, it would probably continue for 12-18 months and then settle before trial. But this case is such a public event that it may linger for a while before resolving itself at the end with either a defense judgment or with money changing hands.

This lawsuit, with its claims and counterclaims, is at heart a legal dispute between those two companies over money. The Linux operating system itself, and its contributors, distributors and users, are not parties to this litigation and cannot be directly affected by it. But the indirect effects are being felt. The real problem for Linux and open source is not the lawsuit itself but that the SCO vs. IBM case is creating confusion and doubt among Linux users.

Q: How is Linux involved?

A: SCO claims that IBM took SCO's confidential information about Unix and the AIX operating system and improperly contributed it to Linux. The Linux operating system, they assert, was infected with SCO's confidential information and, because Linux is open source, that confidential information has been disclosed to the world. Now that Linux is replacing Unix in the operating system marketplace, SCO has lost business. It claims over $1 billion in damages. Just because two parties enter into a confidentiality agreement and exchange so-called "confidential information" doesn't mean that there really are trade secrets involved. Sometimes the secrets are already out. In most jurisdictions, confidential information loses its trade secret status when it becomes a matter of public knowledge through no fault of the recipient, or was known to the recipient before it was disclosed, or was independently developed by the recipient without the use of the discloser's confidential information.

Unix operating systems have been in widespread use for many years. How Unix works is not a trade secret--it hasn't been a trade secret since long before SCO and IBM started to work together on AIX. In other words, there may have been some trade secrets exchanged between SCO and IBM, but there weren't that many secrets left for them to exchange that could relate to Unix and Linux functionality.

Furthermore, SCO needs to prove that those trade secrets were actually copied into Linux. Linus Torvalds, working alone in his home in the early days on his Linux program, didn't have access to SCO's trade secrets. Nor did thousands of other programmers around the world who have made contributions to Linux software.

Their work is original work based on commonly understood operating system principles, and they didn't need to know SCO's trade secrets to write that software. But let's assume the worst. Suppose the jury, in its wisdom after hearing all the evidence, concludes that there are a few of SCO's trade secrets that ended up in Linux. This worst-case-scenario exercise will help us set the outer limits of risk to Linux and to its users.

Not surprisingly, given my work with Linux and the open-source community, I conclude below that the risk is very small indeed. But don't trust my judgment. I'm not trying to give you legal advice. Ask your own attorney to read these Qs and As and form your own judgment based on his or her advice.

Q: Does SCO have a copyright on Linux?

A: Perhaps. SCO can register a copyright in any software it wrote or modified or that it distributed as a collective work. So can Linus Torvalds, and Red Hat, and SuSE, and Debian, and so can anyone (including IBM) who contributed more than a trivial bit of code to Linux. Any of those people or organizations in the U.S. can send $30, and a form, and 50 pages of their source code to the Library of Congress and get a certificate of copyright registration suitable for framing. The procedures are described at www.loc.gov/copyright. There are similar procedures in other countries.

Registering a copyright is only a ticket to get to court. Registration itself isn't proof of anything important.

Of course, registration doesn't give SCO ownership rights to the original versions of the software it modified or redistributed. Nor does SCO have any copyright ownership in software that is independently written by others, even if that software is based on ideas learned from SCO.

Because copyright law only imperfectly applies to software, SCO has an even bigger hurdle to jump before it can assert its copyrights. Here's where the copyright aspects of this case will be a thrill for those of us who enjoy puzzles or metaphysics. The parties will, through expert witnesses, help the court undertake a somewhat mysterious "abstraction, filtration, comparison" test to remove the functional elements of SCO's copyrighted software and isolate the expressive elements. The law says that only the expressive elements of the software deserve copyright protection. And the "doctrine of merger" also applies, which denies copyright protection to expression necessarily incidental to the idea being expressed. This legal analysis will keep the parties busy in court for many months. Ultimately, after these tests and the merger doctrine are applied to SCO's software, far less will be legally copyrightable by SCO than the code they submitted to the Library of Congress along with their $30 check. And finally, SCO has to prove actual copying or modification of its copyrightable code. Linux's history is not secret. Linux source code is published for all to see, with copyright notices throughout. SCO can find who wrote Linux and ask them, under oath, to describe how they wrote their code. Many Linux programmers are already asserting publicly that they implemented their own software without input from SCO and that SCO's claims are exaggerated. It could take years for SCO to complete the depositions of programmers around the world who contributed to Linux and, when that's all done, SCO will probably not have much copyrightable code left to assert against Linux. Suppose though, after leaping those hurdles, SCO manages to convince the court that IBM improperly copied or modified some portion of SCO's trade secret copyrightable work and contributed it to be part of Linux. The Linux development community is prepared to address this risk head-on, if necessary, by reimplementing any portion of Linux that was written by SCO. SCO has refused so far to reveal which portions of Linux are derived from their software. If they did, the open-source community would immediately start to design around those portions. I know Linus Torvalds, and I know a fair number of open-source programmers who work on Linux worldwide. They are the best operating system engineers available anywhere. It is a safe bet that, whatever infringing software is ultimately found in Linux--if any at all--will be replaced within weeks by noninfringing versions.

That's one of the strengths of open-source software development. Like the automatic rerouting that makes the Internet such a robust network, the open-source community can quickly route around software that doesn't belong because of third-party copyright claims.

Q: Can SCO demand license fees to use Linux?

A: Sure. But just because someone demands money doesn't mean you should pay them. SCO has sued only IBM, remember, not you, and is demanding at least $1 billion in economic damages. IBM didn't reach for its checkbook yet. Why should you? SCO already licensed Linux to you royalty-free when it distributed Linux under the GPL license. Although SCO purported to suspend its Linux distribution after the commencement of this lawsuit, SCO continued to make Linux code available for download from its Web site. By distributing Linux products under the GPL, SCO agreed, among other things, not to assert certain proprietary rights such as the rights to collect license fees over any source code distributed under the terms of the GPL.

Some people complain about the absence of indemnity in open-source licenses, including the GPL license used currently for Linux. The economic equation is simple: Because the software is given away for free, no open-source licensor can afford to offer indemnity.

I don't believe indemnity matters anyway in this case because of the way SCO has structured its complaint. Assume, for example, that SCO wins its case against IBM and IBM pays $1 billion in damages to compensate for the use of SCO's confidential code in Linux. (Again, this is a worst-case scenario helpful only to assess risk to Linux users.) How then could SCO turn to Linux users and ask for the same damages all over again? That double-dipping isn't fair in law or in equity. Courts usually don't allow that.

Simply by being an interested and aggressive defendant with deep pockets, IBM is now effectively shielding Linux users from damages, even without an indemnity provision in the GPL.

Q: What is the effect of the Red Hat lawsuit against SCO?

A: Some of the major players in the open-source community, in particular Red Hat, have finally had enough of SCO's efforts to disrupt the progress of Linux and to spread fear among its users. Red Hat has now sued SCO for unfair business practices. The stakes for SCO are now much higher. It is one thing to start a contractual dispute with IBM and to seek economic damages appropriate for the injury supposedly suffered. It is yet another thing to disparage the reputation of an operating system that was independently designed and developed by open-source contributors worldwide and to instill unreasonable fear in Linux customers about the possible consequences of using that operating system.

The Red Hat lawsuit is one of a number of steps being taken by leaders of the open-source community to respond to SCO's tactics against Linux.