Re: Open Source Due Diligence

Marsha Hanus wrote:
Dear Mr. Larmour;

We are thinking about using CRC32 in an IBM product, and, being IBM, we have procedures for using open source. One of the things we do is to try to learn more about the open source code from the authors. So if you do not mind, I would like to ask you a few questions:

No problem.

It appears from the Polynomial table placed in the public domain by Gary S. Brown. that you are the core team authors of the code, but that there may have been other contributors to the CRC32 (for defect repair, enhancements, etc.), especially Gary S. Brown in 1986.

Yes, Gary Brown's public domain code was the starting point.

Do you have a log with tracking information about who made changes to the original code and when the changes were made? If so, do you have information about the contributors such as name and contact information?

We have CVS information for much of it, but to be honest, from your point of view that should be irrelevant because........

Also, how do you obtain all the rights to distribute these contributions under your license (e.g., did contributors agree to assign their copyright rights to you)? Are these permissions in writing?

...... yes the eCos project requests copyright assignments for contributions from random net users. This is done in writing. The only exceptions are for the eCos maintainers themselves who can commit things under their own copyright. Very soon we are intending *all* copyright to be transferred to the Free Software Foundation, but we are waiting for Red Hat.

In practice for that specific file, I can confirm that the copyright is shared between:

Gary S. Brown (but put into the public domain)
Red Hat Inc.
Gary Thomas
Andrew Lunn

The latter two are, as implied from above, two eCos maintainers, and I've CC'd the maintainers list for their info as a courtesy. The latter three have made their copyrighted work available under the eCos license, which is the license found in the header of the file.

There are no further copyright owners.

We are wondering whether the development process for CRC32 includes source control and a standard means of tracking the authorship information.

We have a CVS repository, but as above, changes from people other than maintainers do not get committed without a (written) copyright assignment. That assignment used to be to Red Hat, but due to some tardiness in Red Hat's legal department, current contributions are assigned to another company (who also happen to be my employer) called eCosCentric. This is a temporary measure though: we are focussed on transferring all copyright to the FSF.

But in the case of the file in question and my analysis of the CVS logs, the copyright owners are only the four listed above.

We appreciate that this is a volunteer effort, so we are trying to minimize our questions to save your time. Please feel to contact me by phone if you think that would be helpful.

Hopefully this should help answer your query. Let me know if you need more.


Best regards,
Marsha Hanus
Program Manager
IBM - Tivoli Software Group
310-727-4310 El Segundo
818-906-7662 Remote Office

eCosCentric    The eCos and RedBoot experts
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine

