Hewlett-Packard believes companies need to more effectively govern how they adopt open source code and announced services on Thursday to help them do so.

Employees typically defy the established software procurement process, bypassing it to download freely available open source code off the Web and putting it to use, warns Christina Martino, HP's new VP of open source and Linux organization.

That means IT managers sometimes don't know about all the code being used in-house, where it came from, or what license covers it. Open source licenses "are not something to be afraid of. But they are something you need to be smart about," Martino said in a recent interview.

"All told, HP has spent 60 man-years on free and open source software management," she said of HP's own experience in getting a handle on what it was using or wanted to use and how to incorporate it into its software infrastructure. When HP software execs explained what they were doing to its customer advisory board, its members nodded in recognition and asked for the benefit of HP's experience , she said.

HP's tools and open source consulting services became available this week. HP has packaged the tools it used to implement open source governance into a package it calls FOSSology. FOSS, in this instance, stands for free and open source software. FOSSology includes an analysis of a company's software infrastructure, run as a batch process and including agents that can detect and extract open source license information governing code in use.

FOSSology also includes a governance framework that helps manage acquisition and deployment and tracking of open source code. FOSSology is being made available for free download as GPLv2 code from www.FOSSology.org, Martino said.

In addition, HP is offering a Web site where information and tools for open source governance will be collected in one spot, www.FOSSbazaar.org. Collaborators providing information on the site include The Linux Foundation, Google, SourceForge, Novell, Coverity (which has a $300,000 contract to run software analysis checks on open source code for Homeland Security), the Silicon Valley law firm DLA Piper, the business strategy firm Olliance Group, and open source expert consultants OpenLogic.

"FOSSbazaar will drive information flows and dialogue around open source governance," predicted Martino.

HP's new governance services are offered under the umbrella name, Open Source Health Check. They include:

• Open Source Management Workshop, which tells employees throughout an organization about the issues involved in open source use.
• Open Source Exploration Service, which uses FOSSology and its software agents to discover open source code in legacy applications.
• Open Source Governance Assessment Service, which analyzes the gap between how an organization manages open source code versus industry best practices.
• Open source Total Cost of Ownership Analysis, which uses an HP model to assess the cost benefits of moving to open source code where a company hasn't already done so.

The initial goal of the exploration service is to "detect what licenses cover the open source code a company is using and which version of the license applies," such as GPLv2 or GPLv3, which have different provisions, said Martino. The need to adopt stricter governance of open source code adoption is evident in recent lawsuits, said Mark Radcliffe, a digital rights attorney and member of DLA Piper's Silicon Valley law office. He pointed in a personal blog out that the Software Freedom Law Center received an unsatisfactory answer Nov. 19 about High Gain Antennas' use of BusyBox GPL code. The SFLC filed suit against High Gain the next day.

"The SFLC is much more willing to bring a lawsuit than in the past," Radcliffe noted in his blog, Law & Life: Silicon Valley, on Nov. 25.

The SFLC previously negotiated settlements with parties it had notified were in violation of the Free Software Foundation's General Public License. It was involved in up to 50 negotiations a year. In 2007, it started suing as well. Its biggest target has been Verizon Communications. It sent notice of BusyBox use by Verizon on Nov. 16. When it received no response, it filed suit Dec. 5.

Radcliffe advises: "Respond quickly if SLFC contacts your company and try to resolve the issue promptly."