1. OPEN SOURCE AS AN INTEGRAL PART OF
PROPRIETARY SW PRODUCT DEVELOPMENT
eMBA –thesis
Tampere University of Applied Science
Matti Suomalainen
August 2008

2. TAMPERE UNIVERSITY OF APPLIED SCIENCE
Business administration
Author: Matti Suomalainen, FM (physics)
Program: Executive MBA -program
Title of the thesis: Open Source as an Integral Part of Proprietary SW
Development
Number of pages
and appendices: 46 + 5 pages
Tutor of the thesis: Rami Lehtinen, DrTech.
ABSTRACT
This eMBA thesis deals with the discussions how to attach Open Source (OS)
as an integral part of proprietary SW development according the company
strategies.
The primary objective of the thesis is to define a process description to support
the company management when they are considering the possibility to use OS
SW in their products.
Sub objectives of the thesis are to open the major process elements for further
discussion: Risk mitigation of OS software usage and OS community
relationship management.
The thesis consists of an empirical OS analysis section, a case study (Nokia
N800) and a community management practice section. The method of approach
used is deductive reasoning.
OS analysis section discusses the characteristics of OS SW itself and the
usage if it. Case study opens the public characteristics of Nokia N800 as is
feasible for the thesis. Community practices are discussed for the business
enhancement perspective.
As a result of the thesis is an OS Analysis Process (OSAP) is presented on a
flow chart form. Process phases are opened into separate sections focusing
only OS related characters.
Conclusion of the thesis is that OSAP can be used to mitigate the OS usage
risk, but it will not remove the risk totally.
Nevertheless as this study deals only one publicly known case, analysis phases
can be taken as a general guideline for further discussions. There are still
practices which are not established yet, like donation business model and profit
driven community.
Keywords: Open Source, OS software, OS community, OS product
development

3. 1
TABLE OF CONTENTS
1. Terms and Abbreviations................................................................................. 3
2. Introduction...................................................................................................... 4
2.1 Objectives ................................................................................................. 4
2.2 Methods .................................................................................................... 4
2.3 Background............................................................................................... 5
3. Markets............................................................................................................ 7
3.1 OS Business models................................................................................. 8
3.2 Mode of Operation - OS Community......................................................... 9
3.3 Case: Nokia Internet Tablet ...................................................................... 10
3.3.1 Architecture........................................................................................ 10
3.3.2 Components ...................................................................................... 11
3.3.3 Business benefits............................................................................... 11
3.3.4 We kit for S60 Platform...................................................................... 12
4. Product development and management.......................................................... 13
4.1 Modularity ................................................................................................. 13
4.2 Proprietary ................................................................................................ 15
5. Open Source ................................................................................................... 17
5.1 Open Source SW ...................................................................................... 17
5.2 Open Source methodology ....................................................................... 19
5.3 Pros & Cons.............................................................................................. 19
6. Risks of using OSS.......................................................................................... 21
6.1 Intellectual Property Rights (IPR) Risks.................................................... 21
6.2 Security Risks ........................................................................................... 21
6.3 Quality and Product safety Risks .............................................................. 22
6.4 Maintenance and Support Risks ............................................................... 22
6.5 Contractual Risks...................................................................................... 23
7. Internal Analysis .............................................................................................. 24
7.1 Legal analysis ........................................................................................... 24
7.2 Intellectual Property Rights analysis ......................................................... 25
7.3 License consistency analysis.................................................................... 25
8. Benefits of using OSS ..................................................................................... 27
8.1 Cost savings ............................................................................................. 27
8.2 Quality & Flexibility.................................................................................... 27
8.3 Speed & Time ........................................................................................... 27
8.4 Software in-licensing................................................................................. 27
8.5 Available developers................................................................................. 27
8.6 Roadmapping & future .............................................................................. 28
8.7 Open Source as an innovator ................................................................... 28
9. Costs of using OSS ......................................................................................... 29
9.1 Monetary costs.......................................................................................... 29
9.2 Non-monetary costs.................................................................................. 30
9.3 Clean room SW development ................................................................... 30
10. Business case Analysis............................................................................. 31
11. External Analysis....................................................................................... 32
11.1 Comparison of the financial structure.................................................... 32
11.2 Comparison of the organisational structure........................................... 32
11.3 Sustainability ......................................................................................... 33
11.4 BRR....................................................................................................... 34
12. Community work ....................................................................................... 36
12.1 External communities ............................................................................ 38
12.2 Own communities.................................................................................. 39
12.3 Community characteristics .................................................................... 40
12.4 Drivers ................................................................................................... 40

4. 2
12.5 Behaviour
Error! Bookmark not defined.
13. Conclusions .............................................................................................. 42
14. Critics and Suggested proceedings .......................................................... 43
14.1 Donation ................................................................................................ 43
14.2 Profit driven community......................................................................... 43
14.3 Opening whole entity............................................................................. 44
15. References................................................................................................ 45
APPENDIX 1: .......................................................................................................... 47

5. 3
1. TERMS AND ABBREVIATIONS
BRR Business Readiness Rating
DDP Due the Diligence Process for OSS
FLOSS Free/Libre/Open Source Software
HW Hard Ware
IPR Intellectual Property Rights
NDA Non-Disclusure Agreement
COSS the Finnish Centre for Open Source Solutions
OPEX Operating Expenses
OS Open Source
OSAP OS Analysis Process
OSI Open Source Initiative
OSS Open Source Software, SW licensed under a license and meets the
Open Source Definition
SaaS Software as a Service
SW Soft Ware
This work has been licensed with Creative Commons attribution, share alike 3.0 Unported license.
http://creativecommons.org/licenses/by-sa/3.0/deed.en_CA

6. 4
2. INTRODUCTION
2.1 Objectives
The objective of this thesis is to give guidelines and a process to the company
management when they are exploring the possibility to use OSS as an integral
part of their proprietary SW product or service.
There are many business models used together with OSS, but this thesis will
concentrate only one – attaching OSS modules with proprietary system. I will
show aspects which indicate that it is profitable to the company if an OSS
module is found and used in a controlled way.
The sub objective is to define a certain set of sub processes in the main
process, which help to mitigate the risk, when OSS is decided to use. This will
not make the OSS usage risk free though, but gives a direction where the
company should put its’ effort when minimizing the risks.
2.2 Methods
Deductive reasoning is one of the two basic forms of valid reasoning. While
inductive reasoning argues from the particular to the general, deductive
reasoning argues from the general to a specific instance. The basic idea is that
if something is true of a class of things in general, this truth applies to all
legitimate members of that class. The key, then, is to be able to properly identify
members of the class. Miscategorizing would result into invalid conclusions.
On my thesis I will introduce several classes which specify that assumption I
have concerning the success of using OS as part of the company SW. While
ddeductive reasoning is dependent on its premises, I will define and set a
limit for those. I will discuss only attaching OSS modules with proprietary SW
system and sub elements within that.

7. 5
Because of the validity of deductive reasoning, I make assumptions that are
both useful and efficient.
In the mid 2010’s I had a privilege to follow closely how Nokia started to begin
its journey with the Internet Tablet development. During that time and
mentioned domain, I worked with the most OSS players in the world, who had
something to say to the upcoming new business era.
When Anssi Vanjoki, Executive Vice President & General Manager, Multimedia,
Nokia, presented the Nokia N810 at the Web 2.0 Summit in San Francisco in
October 2007, he said, that the journey is on its half way and the Internet Tablet
is heading towards to mass users now.
All the information discussed on this thesis, is presented in public already
somewhere. I have just combined and presented that information the way I
have seen it’s functional and fits to the thesis and upcoming business purposes.
The most informative source has been COSS, Which is a national development
agency for open source business ecosystem. COSS promotes the development
and adoption of managed and sustainable open source solutions in various
industries.
2.3 Background
During the past ten years the use of FLOSS including Linux, has significantly
increased. Both the growth and the economic impact have been enormous [1,
2]
Where such OSS components are of high technical quality, they promise
benefits regarding time-to-market, cost and the opportunity to speed up
company’s software programs and products by proven, open and standardized
software solutions. Quality of OSS has been discussed a lot already and is still
under further discussions [3].

8. 6
Probably the most famous OSS application is Linux, which originated from
Finland and from Linus Thorvalds hands. Today Linux has entered into
numerous other industry areas than just in IT sector. In fact the whole FLOSS
generally has emerged into various industries (Figure 1). Recently Linux has
entered into several mobile devices including mobile multimedia computers.
Figure 1. Use of FLOSS in software products by industry [4].
Even though the wide use and potential benefits, OSS also presents unique
challenges to the company through out the methods by which OSS is
developed, maintained and licensed by the OSS developer communities and
other OSS providers.
A contractual risk management tools are typically not available for OSS, the use
of OSS in product development programs and products can create a risk
mitigation gap.
This thesis has been written to manage with direct and single supplier
relationships and some extent to interact with developer communities.

9. 7
3. MARKETS
I won’t discuss here about the OSS markets or how to find certain OSS
components for the company needs. There are a lot of places over the Internet
where the companies can identify and bundle together various OSS modules for
their purposes. It is more like a traditional SW sourcing activity than a company
business decision activity, which I more concerned on this thesis.
But in case someone is willing to start from the OSS listings, then one of the
biggest places to source possible components is Sourceforge.net [14]
There are many ways a company can utilize FLOSS to generate revenue.
When a company is generating revenue with something which is called “free”, it
becomes interesting among its competitors. How it can be done?
Lets look at MySQL, which product is the the world's most popular open source
database. Basically they have a SW which you can download free from the
internet. After that there are two options: Either you start to use by your own or
ask for consultancy. There are several reasons why companies prefer the
consultancy instead of starting to build an IT support function. Eventually the
company’ core business is still on the database content usage, not how to run
that database.
From this set up there is not a big step to the SaaS model. It is a software
delivery model where a software vendor develops a web-native software
application and hosts and operates the application for use by its customers over
the Internet. Customers do not pay for owning the software itself, even though it
might be OSS, but rather they are paying for using it with a little help.
MySQL became so interesting when it was acquired by the Sun Microsystems,
a giant player on IT sector [6]. The Sun Microsystems is an appreciated
company and very much focused on exploring OSS. They have opened also
their operating system, Solaris, for the developers.

10. 8
Another acquisition to be noticed here is when Nokia acquired Trolltech to to
accelerate their software strategy [7]. This act has impact also to the OS
communities, and was taken into account when the offer was published. Both of
the cases a lot of money was seen moving around the OSS.
Looking SW markets, one cannot pass Microsoft. There is yet no another such
a story than Microsoft story among the proprietary SW development. There are
many opinions on that influence, but one thing is evident – The impact of
Microsoft has been huge for the SW industry. Recently Microsoft has planned to
open its interfaces to the developers and keep those interfaces well
documented for further use [8]. Microsoft is looking for more growth and
revenue as any healthy company should always do. With this action they see
that it can be achieved throughout the openness.
The major breakthrough related to the mobile devices and OSS happened June
2008, when Nokia acquired the Symbian and announced to form a foundation
around the Symbian platform. The Symbian Foundation platform will be
available to members under a royalty-free license from this non-profit
foundation. The Symbian Foundation will commit to moving the platform to open
source during the next two years, with the intent to use the Eclipse Public
License. This will make the platform code available to all for free, bringing
additional innovation to the platform and engaging even a broader community in
future developments.
3.1 OS Business models
There are at least three ways to make money with OSS solution on this thesis
scope. Outside the thesis scope, I’ve seen at least a dozen different business
models so far and some examples of how to utilize those.
MySQL –case has shown that even though there are open source components
in the SW, nobody knows the SW so well than the company, who has
orchestrated its creation. Instead of selling the SW license, a company is selling
their expertise or service. Alternative option is to sell another licensed version

11. 9
for the customer after they have tried the OS version first again with the service.
Customer retention rates can be surprising.
After the company has created a position on the markets, it is noticed by the
same area competitors and they are vulnerable for acquisitions. This type of
phase out is natural for certain start-up companies for example. This is business
model which is suitable for the latter phase.
The third one is the one that Nokia and some other companies are using and it
is used also in the desktop world. They are selling the HW and the SW on top of
that is free. It is also open for further development. The tricky part here is that
how much need to be “open” and be still profitable without diluting own
resources.
3.2 Mode of Operation - OS Community
When producing OS SW, we need to look more detailed the environment where
the SW is produced. That environment is called a community.
All the community work is based on the Open Source Definition [11], which is
discussed later on the chapter 5.1 more detailed. These rules give a solid
foundation the SW development work when everyone on the community is
valuing these criteria.
If we are looking SW production from the technical perspective, an OS SW
project needs the same technical infrastructure as any other SW project.
Naturally one can find OS tools to develop and maintain OS SW.
Karl Fogel elaborate well the various project elements, which need to taken
care when setting up an OS SW project [20]. His approach has encouraged
other authors to go deeper to the developers’ code of conduct [21, 22].

12. 10
3.3 Case: Nokia Internet Tablet
FLOSS has entered into mobile communication era as well and Nokia in one
the leaders there. Traditionally Nokia is considered as a telecom company or
phone manufacturer, but like other big companies Nokia has to adopt the
requirements of the new businesses. Openness has been taken seriously [18].
3.3.1 Architecture
Nokia N770 and its successors N800 and later on N810 started a new era on
Nokia product development. These devises were innovative new products,
which were not PDAs, not phones but portable handheld Internet browsers,
Internet tablets.
Their heart is Maemo, application development platform, which is based on
Debian GNU/Linux. More detailed architecture is described in figure 2. [9]
Figure 2. The SW architecture of the Nokia 770 internet tablet [9].
Open Source
Commercial
Nokia Software
Nokia User Experience
Nokia Opened Middleware
Application Application Application
Engines Engines Engines
The Nokia Linux / OSS stack
Hardware Adaptation

13. 11
3.3.2 Components
Nokia wanted to develop its platform components as a part of the communities,
not exclusively just on Maemo, but wherever the developments actually
happened. More about the architecture modules can be found from the
following links:
• GTK http://www.gtk.org/
• GNOME http://www.gnome.org
• SDL http://www.libsdl.org/index.php
• D-BUS http://www.freedesktop.org/Software/dbus
• GStreamer http://gstreamer.freedesktop.org/
• Helix https://helixcommunity.org/
• Bluez Bluetooth Stack http://www.bluez.org/
• MatchBox Windows Manager http://projects.o-hand.com/matchbox/
A pioneer spirit can be seen from the mode of operation and the way how it was
managed.
3.3.3 Business benefits
It has been estimated that Nokia saved a 900 million euro on product
development costs when utilizing OSS components. According the same study,
Nokia wrote less than 2% of the software. Other large companies wrote more
than 12% and others (Debian) the rest. [2]
Such a large savings in development allowed reduced R&D spending and allow
Nokia to focus on product innovation. It was also evident, that these savings
could have limited losses in developing a risky product with an unclear and new
market. [2]
As a result Nokia could make a risky, innovative product – and top of that turned
out quite successful.

14. 12
3.3.4 Web kit for S60 Platform
Nokia has also developed an open source web kit, which can be ported onto the
proprietary S60 platform. There is an architecture description from a web kit
opened by Nokia on the figure 3 [18]. This can be considered as a new
approach towards the OS world again from Nokia.
Figure 3. Opened web kit architecture [18].

15. 13
4. PRODUCT DEVELOPMENT AND MANAGEMENT
Traditional SW development goes along with certain processes. Most common
way to illustrate the product development life cycle is to follow the water fall
model. Typically working this way takes a lot of time, at least when there are a
lot code lines and functionalities on the SW.
Customers need to wait until the SW is ready and after that they can comment
how it works. It might be frustrating to wait for even 18 months to see, that the
SW didn’t had that expected functionality which was assumed there to be in.
Other process models were developed to get the customer closer to the
development and requirements phases. Agile SW development, SCRUM, or
incremental delivery processes were introduced, but still there were some
unwanted delay. And internet clock pace don’t make the situation any easier.
Developing OSS in communities is one step closer to the customer again.
Customers can be in the specification phase; they can implement the code, test
the code and even build some extra on top the code, if more customization is
needed.
Customers become “prosumers” by co creating goods and services rather than
simply consuming the end product [10].
The role of the traditional product management has moved away. Instead of
one company function to manage the product life from the beginning to the end,
there are several independent customers and individuals doing exact the same
on line already from the day one. In general terms this is called as a community.
How to work in the communities will be discussed later on this thesis.
4.1 Modularity
Modularity is important characteristic of software system. It means that in the
system there are separate parts called modules. A module interface

16. 14
specifications define the elements which are provided and required by the
module.
On the proprietary SW the interface specifications are mostly technical
specifications. On the proprietary SW world the culture of the modules is
technical. One can add and attach modules into the system, if they are
technically compatible with.
Company can make these modules by themselves. Or they can ask another
company to make them according the specifications given and buy the end
result that way from the other company. Or they can buy ready made
modules just to use them.
Addition to these traditional ways, a company can use ready made OSS
modules. It can also participate existing OS project or set up an own OS
community to create project for a wanted functionality (Figure 4).
If a company can find a mature ready made OSS component the cost
savings are evident compared to the case that the company need to build it
by themselves.
Benefits of the modularity from the OS point of view are:
• Module reuse
• Module replacement
• Horizontal business possibility
Additions to these above, there are a lot of other product development
related benefits too.

17. 15
Figure 4. Modularity on SW development incl. OSS components
4.2 Proprietary
Proprietary software means a SW with restrictions to use or make private
modification. Addition on that one cannot copy it or publish modified or
unmodified versions of it. These restrictions are set by the proprietors. Similar
terms include "closed-source software" and "non-free software".
Most used proprietary SW platforms are probably Microsoft Windows platform in
the traditional computer world and Symbian S60 platform on the mobile
computer world.
A company can protect its product like by copyright, trademark or patent.
Let’s look at the copyright closer first, due the reason that some OS licenses are
sometimes called copyleft licenses.
Copyleft can be seen as a practice to use copyright law to remove the
distribution restrictions. It is like using the law other way round.
Upstream OSS Projects
OSS Components COMPANY
Specifies PRODUCT
Integrates Or
Licensed Components Tests SERVICE
Customize
Etc.etc.
Company driven OSS projects
Subcontracted Components
Company’s own proprietary
Components

18. 16
The author, who has the copyright, has certain rights which are listed below:
• The right to copy
• The right to distribute and make available
• The right to modify, adapt, translate (i.e. to create derivative works)
• The right to use the work in a collection
• The right to publicly perform, display, broadcast…
If we look at the GPL license, it seems that all the copyright has been left to the
code.
Characteristics for the copyright are:
• It protects the form
• There is no registration needed
• It gives a long-term protection
• Use is not protected
• Ownership might be difficult to prove
• It applies globally
• It is cheap
A trademark is an indicator which is used by a company to identify the
source of its products. It is part of the company’ IPR too.
Patent is the heaviest tool in the company IPR portfolio.
Characteristics for the patent are:
• It protects an Idea/Function
• Registration in the Patent Office is needed
• Gives typically 20 years protection
• “Use” is protected - without permission, no usage
• Ownership is rather easy to prove

19. 17
• Applies only in the particular countries where patents are granted
• It is expensive, hundreds of thousands Euros all together
IPR portfolio is very important for the company. IPR can be used like money,
when trading with other companies. It is said that a company should never
practice OS close to the domain area where it has a thick patent portfolio. It
might dilute its own patent portfolio there.
5. OPEN SOURCE
5.1 Open Source SW
OSS is simply a piece of software, which is issued under certain OS license.
There are three major types of OS licenses and some their characteristics listed
on the table 1.
License type Copyleft license
Characteristics • License means “permission
under copyright”
• Broad and strong inheritance
effect ( so called “viral”effect)
• No explicit patent grants
Examples GPL, LGPL
License type License Contracts
Characteristics • Real contracts are made
• Limited inheritance
• Explicit patent grants
Examples Mozilla, IBM CPL, SUN SISSL
License type Permissive license notices
Characteristics • Permissive copyright license
• No inheritance
• No explicit patent grants
Examples Apache, BSD, MIT
Table 1. The Major types of OS licenses, some their characteristics and
examples of those.

20. 18
There are hundreds of licesenses available and mixing of those to the same
code are not always possible [5].
Open Source SW development is something that no company can do just by
themselves. Or it can, but then there is no sense at all being closed and the
code is open within the closed company walls. Despite of that restriction from
the code ownership point of view, OS provides the company very pragmatic
way of making SW.
The Open Source SW definition by OSI [11]:
1. Free Redistribution
• There are no fees or royalties for redistribution
2. Source Code
• Source code must be provided, binary if asked
3. Derived Works
• Anyone is free to modify and distribute
4. Integrity of author’s source code
• Identify original source code
5. No discrimination against persons or groups
• Anyone, any group can utilize
6. No discrimination against fields of endeavor
• There are no limits on how to use
7. Distribution of license
• No additional contracts needed downstream
8. License must not be specific to a product
• Cannot say like: “Can be used only in connection with…”

21. 19
9. License must not contaminate other software
• It is not a derivative work for example from a proprietary code
10. License must be technology-neutral
• There are no requirements or similar acts of acceptance to make a
contract between licensor and license
There is more detailed definition of OSS on OSI internet pages [11].
5.2 Open Source methodology
OSS is a result from the community work. The piece of SW is produced by a
certain group of people, who have decided to follow certain principles
voluntarily.
It is at least as important to understand the OS ideology, than to understand
why to use OSS components. They go hand to hand, and there will be no other
without the other.
To get the true benefit out from the OSS module, one needs to know the
development logic behind it. Unfortunately this type of ideological thinking is
quite often too far away from the business case and therefore the importance is
not understood.
Community work and returning to the community are too many times only on
the costs’ side and the true end customer intimated development is not
accessed.
5.3 Pros & Cons
If using OSS in the product were so easy and risk free, every company would
have done it already for decades ago. The following chapters describe the risks
and benefits of using OSS. There are no straight answer when to use OSS

22. 20
when not to use OSS, but after the analysis phase a company management can
make the decision whether to go for OSS solution or not.

23. 21
6. RISKS OF USING OSS
6.1 Intellectual Property Rights (IPR) Risks
As mentioned earlier, the IPR portfolio is very important to the company.
Therefore is crucial to all the effort needed to mitigate the IPR infringement
risks. When a company is using OSS there are possibilities for the following
risks:
• Possibility of inadvertent infringement of copyright and/or patents of third
parties. This might be just generally or with respect to certain countries.
• There are no indemnity against third party claims of infringements of
IPRs
• Obligation to license company’ copyrights and patents for free to third
parties under certain OSS software licenses
• No certainty whether the licensor is the owner of copyright or patents, or
has legally acquired such rights
Quite often a company hasn’t done its background work carefully and just do
not know enough. Therefore it has to pay money to someone else.
More about the minimizing the IPR risks can be found from Välimäki &
Oksanen’s article [12].
6.2 Security Risks
Sometimes in communities an undefined group of people have controlled or
uncontrolled access rights to the “open source” source code. This can make the
system highly vulnerable to different types of viruses, backdoors and Trojans
which can be implemented in the source code. On the other hand, the open
source community itself also acts as an effective source code reviewer.

24. 22
The risk judgment need to be done and should be based on the maturity of the
source code as well as the maturity of the community (e.g. how well the source
code is reviewed by the community).
6.3 Quality and Product safety Risks
Product safety and security is extremely important, because it directly impacts
on the overall usability and user satisfaction in the product. Lack of safety and
security might be harmful to company brand and might cause bad publicity.
Sometimes it might be a danger to a human life too. It can lead to a costly
delivery stop or even product recall. Any way the financial costs and losses are
evident.
Company is liable for all the modules it has in its product despite the origin.
Product liability is a strict liability for the manufacturer, but there may also be
effective defenses, which are not discussed here.
It is said, that OSS has a high quality [13], but sometimes it might the other way.
Software might have poor quality too. In cases where the source code is
available, risk mitigation may necessitate the review of the entire software. This
might cost money again and increase OPEX.
From this perspective the SW maturity is a key element when selecting the OSS
component.
6.4 Maintenance and Support Risks
Every SW needs to be maintained and supported during its expected lifetime.
The following aspects need to be taken into account when attaching OSS into
system:
• There may not be any warranties by licensor/author
• There may not be support available, no update/upgrade obligations for
licensor, there are problems in handling the source code tree, problems
related to the “forking” of the source code, difficulties in acquiring
maintenance and support for legacy open source software, a risk that further

25. 23
updates/upgrades of the software are not useable because the software has
been developed in a way incompatible with technologies used in the BU.
• Risk of contaminating own or others proprietary components
• The use of an OSS tool (a compiler or SW alike) may leave traces
proprietary software platform, product or service or in some way may be
exposed or deployed to third parties.
Nevertheless these details can be checked and mitigate the risk that way again.
6.5 Contractual Risks
In proprietary world companies are making agreements, where they agree
about the liability among other things. If something goes wrong, we know who
did the mistake and who is paying the bills. At the very end the manufacturer
has the liability, but it can claim damages from its contractors. Another thing is if
the company gets one.
It is very difficult, even impossible to claim damages if there is a faulty part in
the company product and it is located into the OS part of it.
Therefore a company need a tool or analysis to make the risk of using OS as
small as possible and most of all, manageable. Good thing here is that there are
no contractual risks anymore.

26. 24
7. INTERNAL ANALYSIS
The Internal Analysis can be used on analyzing each software component. This
means it applies in a given Linux OSS distribution as well as to the other
individual OSS components. To be on the safe side, each and every module
needs to pass the analysis.
This analyzing phase is the most important element when calculating whether to
use OSS components. It is also the most expensive element due the reason
that it requires specific information and resources. Special competences are
often the most expensive.
It is difficult so say in which circumstances the analysis becomes more
expensive than developing the SW by own. Nevertheless on this phase
company should not to start to save. The analysis need to be thorough and
wide enough. Rethinking is needed if the estimated breaking point has been
passed or is close enough now already.
7.1 Legal analysis
Legal analysis is done to ensure the compliance with applicable laws and
regulations. The requirements might come from country legislation, from
industry legislation or from safety and security legislation. When approaching
legal issues, one cannot be too careful. Misconducts there might come
expensive again.
There are legal companies which are specified on legal check and they are
associated with other domain area experts. Quite often a company can inquire a
total solution offering from certain legal counselor office.

27. 25
7.2 Intellectual Property Rights analysis
IPR analysis will cover minimum the following four elements:
• Possible 3rd
party patent check which are relevant to the distribution and
use of the software
• Trademark search for potential 3rd
party trademarks
• Seek potential risk of dilution of company’s own patent portfolio through
the use of the OSS
• Alignment check to other patent related obligations, like with other
companies & forums (like cross-license agreements)
Again there are specified companies who can help on this, if the company
hasn’t own competent resources to complete this action.
7.3 License consistency analysis
The license consistency analysis shall identify and document the license terms
for an OSS component. This is easy to remember from “Three C’s”. This will
cover at least the following parts:
• Compliance with the applicable license terms and mix of those
• Consistency of the applicable license terms, i.e. compatibility of all
applicable licenses
• Compatibility of applicable licenses between different software components
The company can start to keep up the OSS asset catalog already from the day
one. The benefits of keeping such a catalog are the following:
• Reuse is supported (cost effective)
• Re-DDP can be avoided (cost effective)
• Modifications are easy to start (quality and cost effective)

28. 26
When the whole analysis is done for the business case, the analyzed software
module gets status which can be:
• Use is not OK - Risk level of the package is unacceptable – Not to be used
• Limited use OK - Use under the restrictions mentioned in the module
package
• Use is OK - Low risk level and no restrictions for use in this case
• Use is OK - Low risk level and no restrictions for use in any case

29. 27
8. BENEFITS OF USING OSS
8.1 Cost savings
Cost saving is most probably the key driver and it can be achieved by:
• Utilizing available OS components as such i.e. re-use those which have
been used before and accepted for the re-use
• Improving existing OS components
• Further developing OS components to the bigger components and
subsystems
8.2 Quality & Flexibility
Quality of the code and operation flexibility can be achieved when, the visibility
is good all the way throughout the community and the access to the source
code is evident in the community.
8.3 Speed & Time
The importance of the time to market and the window of opportunity have
increased and the clock speed has become faster. Fast kick-start with available
components and easy acceleration with known technologies will help to stay on
this internet pace.
8.4 Software in-licensing
Licensing SW from other companies with good commercial terms might take
some time. Using OS SW this licensing is done in advance.
8.5 Available developers
This is obvious especially on the continuous communities. It’s always nice to
work with the challenges one has picked for himself.

30. 28
8.6 Roadmapping & future
Openness is not just related to the source code, but also to the feature
roadmaps. They are visible and can be influenced through open discussions.
They can be even changed by showing up with good, working code and use
case.
8.7 Open Source as an innovator
A human is a social animal. It has a need to share its experiences to another
human. This is the very basics in the herds where the safety of the herd comes
before the safety of the individual. Some good and some bad are beneficial to
be remembered by as many as possible. It might save the herd one day from
the disaster.
In organizations, the living organizations try to memorize the information as
well. They build processes to act as the organizational memory. There are
databases to be the actual memory too. Unfortunately it has become so in many
companies that it is more important to gather information than to share.
Gathering information means power and power means money.
If a company could combine the power of gathering and the power of sharing
could the company be both safe and rich at the same time? I would say yes,
when the company knows what to gather and what to share.
Before the company can share, it needs to open the information. There so much
information today, that it needs to differentiate its information from the
information flow to find the target audience.
Shared information creates shared innovation. 1+1 = 3, if right people are doing
the math. Companies like new innovations, because they might bring revenue
depending on the investment.

31. 29
9. COSTS OF USING OSS
9.1 Monetary costs
Even though there is typically no license-fee attached, OSS might not come for
free. On the table 2 there are some possible additional specific costs which
need to be evaluated beforehand.
This cost-benefit calculation has to be included to the business case proposal
when building up the pay-back time.
Cost Description
Integration cost Costs to modify and integrate
the component to the Proprietary
software component.
Maintenance cost Costs for error corrections or
modifications to updated
component versions
Possible NDDP process
cost
• Costs of Legal and IPR
resources needed to make risk
analysis.
• Re-DDP costs induced by
updated OSS license terms
Agreement making costs Possible costs related to
negotiate Agreements with the
OSS distributor
Distribution and other
maintenance costs
Costs to distribute the source
code; Costs to maintain the
copyright and license info
Community costs Community work and
investments
Table 2. Possible additional specific cost generators when using OSS.

32. 30
9.2 Non-monetary costs
Like in most business cases it is difficult to investigate the non-monetary costs. I
guess the most forgotten non-monetary cost is the cost of the company
employee initially voluntary work, when the work becomes a burden.
At first one might think it just a free and extra effort what the employee is
contributing to the OS project. At the beginning it might be just that way, but my
experience has shown that in unfortunate conditions even the most OS
heartened and skillful company employee feel frustrated and worst of all feel to
be used. Then he starts to use the company and the cost becomes real.
Further on from a cost factor might become even a risk factor if the competence
of this persons are core competences and not replaceable.
9.3 Clean room SW development
Sometimes you need to get rid of the module because it’s too risky. Clean room
development is used when the software is created to mimic functionality of the
other. This is done so that it will not infringe the copyright of that other software.
Typically it is done in a way that two software development teams working
parallel. One team (Team I) formulates functional specifications based on an
analysis of the software to be replaced.
The second team (Team II) implements the new software based on these
functional specifications, but has no whatever access to any material leading to
these functional specifications.
It’s important that all communication between the teams is done in writing only.
This communication is monitored by the domain experts like lawyers. Team I
tests the software that Team II has produced and reports back mismatches with
the required functionality.
That way the company can replace the risky software module from system.

33. 31
10. BUSINESS CASE ANALYSIS
Business case analysis is an analysis what companies use for project selection
from a pipeline. It analyzes how profitable the business case is and will the
project follow the company strategy and sustain the competitive advantage of
the company.
The business case analysis might lead into the business plan with more
detailed studies and analysis. One can convert the business case into actions
and milestones and further to the project plan that will guide project people
through the entire project lifecycle.
Depending on the company business processes, the content varies a lot, and
this thesis will not discuss about the other elements of the business case
analyzing nor planning except the OS part of it.

34. 32
11. EXTERNAL ANALYSIS
Quite many benefits of using OSS come not just directly using the OS SW, but
more from communities who are behind the SW. So getting more out of the SW
itself, one needs to understand the community behavior behind it.
11.1 Comparison of the financial structure
When proprietary SW vendor is selling the license to use its SW, the trade is
straight and bilateral. SW vendor is delivering the SW to the SW user and the
user is paying the invoice.
It is much more complicated when there are OS elements involved. From the
user point of view there are much more than just the proprietary element,
although it is still there.
User can obtain the SW from OSS vendor, OSS distributor or even directly from
the OSS community. In each case the payment might be involved, but not
always.
If we look behind the user front, there might be again deliveries and payments
between individual SW developers (contributors), communities, OSS/traditional
vendors and even financial support from the governments and universities.
Addition to the traditional business models, there is new business model, which
has not been as such before: Donation. We will see how company tax
legislation will cover that in the future.
I won’t discuss donation business model in this thesis, but let that to be for
further arenas and discussions.
11.2 Comparison of the organizational structure

35. 33
It is fair to say that the traditional proprietary SW companies have a closed
structure. Discussing not the ownership structure but discussing only about the
operative structure there are always top management in the middle of the
structure which controls everything. In the ideal world literally everything what is
happening in the company, is happening because top management allowing
that to happen.
Around top management are other management layers, functions like marketing
and delivery, R&D and so on. It is quite centric structure. Even if we use
regional perspective to make it 2 -dimensional or 3 –dimensional, it is still
centered.
Or how many companies can say that their customers can talk to anyone at the
SW development process to tell their requirement towards the SW functionality?
If we look at the open structure, it centered too. But it is centered on the
internet. There are community leaders, end users (customers), developers and
testers all around the same table. Even the markets and marketers as well as
binaries and the source code can be found from there. And at least my
experience is that everyone has exactly the same goal, which is to define
proper functionality and make the SW ready and mature for use.
The community developers and users are the owners. There are no conflicts of
interests then.
I won’t discuss a profit driven community or best-from-both vision in this thesis,
but let that for further discussions.
11.3 Sustainability
Sustainability is the most important element when analyzing the community
itself. It can be cut again to smaller elements [16]. These are:
• Economical
• Legal

36. 34
• Social
• Cultural
All these elements should be in line with the company strategy or at least at the
stable phase on the chosen community.
11.4 BRR
The Business Readiness Rating (BRR) is a community forum that helps
developers rate open source software in a standardized way (Picture 5). The
rating system is sponsored by Carnegie Mellon West Center for Open Source
Investigation, O'Reilly CodeZoo, SpikeSource and Intel Corp., and it has been
in an evaluation phase since mid-2005 [17].
Picture 5. The BRR model
The BRR evaluates an open source project or product using a series of seven
categories and a handful of subcategories. They include functionality, reliability,

37. 35
scalability, architecture and code quantity, support and services, licensing,
project management, documentation and community [17].

38. 36
12. COMMUNITY WORK
The OS community is a term referring to the users and developers of FLOSS
/ OSS as well as supporters.
The first important fact is to understand, that the activity of a community does
not follow profit motivations like enterprises do. The second important fact is
that hierarchical co-ordination emerges without proprietary rights. The third
important fact is that the Open Source systems diffuse in environments
dominated by proprietary standards. [19]
Quite often the community is build around few people who run the
community meritocratic way. This means that one have to prove that he/she
is worth of something if he/she wants to go up in the hierarchy.
There are certain procedures and tasks one can execute in order to go up in
rank (Figure 6). The upper one go, the fewer are the colleagues. At the top
there are usually one person or small group of people who can decide where
the community is moving i.e. what kind of SW features are taken in and so
on. Good community is always open for strategic approach suggestions.
Figure 3 shows also the activity level of the contributor and the amount of
contributors. In the bull’s-eye or at the top there are less people, but who are
more committed and contribute most of the code. There is again one 20/80 a
rule of thumb here: 80 % of the code is made by 20% of the developers.

39. 37
8
7
6
5
Figure 6. Simplified community structure.
If we look outside the community scope, the most of the source code is coming
from individual authors (Figure 7).
Figure 7: Origin of the FLOSS code [4].
1. Project Manager
4 2. Core team
3. Active developer3
4. Stray developer2
1 5. Stray bug fixer
6. Bug reporter
7. Hang around people
8. Passive user

40. 38
12.1 External communities
One of the most successful and largest OS communities is built around Linux
platform. In fact it has already several communities around the original one.
If we look at the similar communities, which have a set of projects, we need to
agree, that SourceForge.net is the world's largest Open Source software
development community or active web site. SourceForge.net provides free
hosting to Open Source software development projects with a centralized
resource for managing projects, issues, communications, and code. There are
~175 000 registered projects and over 1.83 M registered users [14].
When a company is picking up the community, it needs to think at least the four
following aspects:
1. Legal & IPR aspects
• Ensuring that there are no harm seen now nor in the future
2. Community aspects
• Community being active and there are existing multi-polarity on that
3. Community roadmap aspects
• The future is defined and the company can influence to the future
4. Technical aspects
• Projects are fulfilling the technical, quality and maturity requirements set
by the company. These need to be at least at the same level as they are
in the other parts of the company.

41. 39
12.2 Own communities
It is important than when the company is sustaining a community, it will put
effort on community activity. Active communities look interesting and encourage
contributors to the community work. It can be said, that the fact that something
happens, is important.
Active community also does marketing effectively on the internet. Ongoing
marketing should be broadened from the project itself to the complimentary
projects. This is a sort of pushing contributions from inside and outside the
company.
A company should mentor key project persons and assist new comers to get to
know the community. Other important tasks are monitoring the activities and
community feedback. The most important task is to monitor the strategic
direction of the community that it is in line with company’s strategy.
A quite good way is to set up a company policy how OS should be approached.
Like any other policy definition, it should impress company strategic intent
towards OS. But the employee point of view, it should give guideline how deal
with the OSS and how to communicate with the communities.
On appendix 1 is an example exam which can be taken as a base for a
company exam if wanted. After reading this thesis one should also be able to
answer those questions. The true meaning of that kind of an exam is to ensure,
that the company employees are really aware of the risks, what the OS is
bringing to the company, if not treated right and proper way.
A good example of the own started community is garage.maemo.org, where
Nokia invite others to participate to the product development in areas that are
not developed elsewhere. Garage hosts the SW projects related to the Nokia
internet tablet.

42. 40
Communities are very important interface when making big business decisions.
Like when Nokia acquired Trolltech, they informed not just customers and
partners, but also communities with a separate announcement [7].
A community friendly company can give support to the communities many
ways, not just donating money to cover the operating expenses. It can hire
developers and let them influence to the communities. It can release code,
servers and even patents to the free use. Releasing OS SW back to the
communities is essential to work with those.
A company can even have a position within its organization, Community
Manager, which has a task to work with some important communities. Together
with the rest of the organization they can decide how the company developers
can participate the community work. There are companies, which have a test
before you’re allowed use for example the company email for the community
communications. The company makes sure that the contributor is aware of NDA
issues, like trade secrets etc. when asking to pass the test before.
12.3 Community characteristics
There are some very simple principles, how people in the OS community work
differ from the people who are working in proprietary SW projects in corporates.
12.4 Drivers
In the corporate world there are some drivers or working principles, which guide
the product development. These are like:
• People work to meet the requirements
• People work according to the schedules to meet deadlines
• People work on a project until it’s finished (or cancelled)
• People work to meet specific (hopefully high) quality goals
If we look at the OS community world, the principles are different and are based
on the other needs:

43. 41
• People work on what they find interesting
• People work when, and as much, as they feel like
• People work on a project until they get bored
• Quality levels are often negotiable, but not low by default
If we look at these more carefully, we might say they are more like emotions.
And actions coming from emotions are more committed.
12.5 Behavior
If we look at the developer from the OS and community point of view, we notice
the following:
• Developers spend more time online than they do with the printed
publications
• Developers would rather touch the code than to hear about it
• Developers don't just code at the office
• Developers don’t sit back and wait for updates or news; they can make
their own
• Developers are starting their own mini communities via blogs
If companies can give a project, which is interesting enough, has a pragmatic
use case and can solve a real problem, they can be sure that it will lure
developers to the community. Developers want to make good quality, and the
community will take care of the testing part of it [15].
If a company fails to manage a community with community rules, the community
withers away. All the investments done to sustain the community have gone
away with vanishing users and developers.

44. 42
13. CONCLUSIONS
Following this OS Analysis Process (OSAP) and utilizing its modules will not
dissipate the risk totally away (Flowchart 1). There are always some risks
remaining at some level. It is up to company management if they are willing to
take and manage the risks.
Company NoUse of ProprietaryBusiness CaseStart EndOSS SolutionAnalysis
Flowchart 1. Process description of OSAP.
OSAP cannot be a separate process, but it needs to be integrated to the
product development process as a sub process. It needs to synchronize with
product development process milestones and added to the milestone criteria
when OSS components are used.
As every process, OSAP also needs to have an owner and several specialists
to make the process effective and be up-to-date. Executive sponsor plays key
role here too. Without that role there won’t be any need for this process, just
because there won’t be any OS components integrated.
It is just too risky to do without proper analysis and thorough preparations.
End
Company
OSS
Warehouse
Communities
Internal Analysis
External Analysis
Business Case
Analysis
Use of
OSS
OSS
Solution
Yes
No
Yes
Business
Case
Documentation

45. 43
14. CRITICS AND SUGGESTED PROCEEDINGS
There is only one case on this thesis, which is Nokia Internet tablet continuum.
It gives still enough perspective for deductive reasoning method, while all the
facts around the case are same for all the cases.
However, if there were more cases to be included, it would give more non-case
sensitive and generic approach to the thesis discussions and the analyzing
processes.
It is difficult to phrase exact guideline or instructions how company should
proceed with the OS selection and selected solution. It is so conditional on the
company strategy and therefore very much case sensitive. Basic elements are
the same, but they need to be projected and aligned by the company strategy.
As a one additional element for the SW companies on the top of the thesis
guidelines could be focused consultation service. Together with the customer
company, an OS customizing service could analyze the business situation and
help the company to make the business decision to go or not to go with the OS
solutions
14.1 Donation
Donation as a business model is a new element on the business model set, and
need to be explored more for one thing and another. It has characteristics which
are not typical for customer-vendor relationship or cannot be understood from
other traditional business perspectives too. There are definitely some legislative
and IPR perspectives too.
14.2 Profit driven community
A profit driven community vision and a mode of operation for that could be
discussed on the next proceedings. It could be challenged from the ethic and

46. 44
business perspectives. It must be there somewhere in the plasma between
closed and open sourced worlds.
14.3 Opening whole entity
It would be interesting to continue this discussion if company would like to open
the whole/critical part of the SW to the community use. What kind of business
analysis is done and how the Total Cost of Ownership is formulated then.

47. 45
15. REFERENCES
[1]. Economic impact of FLOSS on innovation and competitiveness of the EU
ICT sector,
Rishab Aiyer Ghosh, UNU-MERIT, the Netherlands
[2]. Economic Impact of Free/Libre/Open Source Software, Rishab Aiyer Ghosh,
United Nations University/MERIT, Maastricht
[3]. Assuring Quality and Usability in Open Source Software Development,
Henrik Hedberg, Netta Iivari, Mikko Rajanen & Lasse Harjumaa, Department of
Information Processing Science, University of Oulu
[4]. Verso, Open Source Business Program, Toimituskunta Tommi Järvinen,
Matti Saastamoinen, Tekes Tampere 2007
[5]. http://www.nordicos.org/
[6]. http://www.sun.com/aboutsun/pr/2008-01/sunflash.20080116.1.xml
[7]. http://trolltech.com/28012008/28012008
[8]. http://www.tietoviikko.fi/doc.do?f_id=1332728
[9]. Nokia and open source – Case Nokia N800, Ari Jaaksi, Nokia, Presented on
Verso Open Source Business Program, 13.3.2007, Helsinki
[10]. Wikinomics, How mass collaboration changes everything, Don Tapscott,
Anthony D. Williams, London 2006
[11]. http://www.opensource.org/docs/definition.php
[12]. Minimizing IPR Infringement Risks in Open Source Projects, Mikko
Välimäki and Ville Oksanen, Helsinki University of Technology, 02015 HUT,
Finland
[13]. Quality Practices and Problems in Free Software Projects, Martin
Michlmayr, Francis Hunt, David Probert, Centre for Technology Management,
University of Cambridge, Cambridge, CB2 1RX, UK
[14]. http://sourceforge.net/?testing=1
[15]. Ammattilaisia vai amatöörejä? Avoimen lähdekoodin yhteisöjen toiminta,
Open Source Undercover 4.4.2006, Niklas Vainio, Tampereen yliopisto
[16]. Elements of Open Source Community Sustainability, Niklas Vainio & Tere
Vadén, TU, Ville Oksanen, HUT and Mikko Seppänen, TUT, 2006
[17]. Business Readiness Rating, Anthony I. Wasserman, Carnegie Mellon
West

48. 46
MuruganPal, SpikeSource, LinuxWorld, Boston, 4 April 2006
[18]. Bob Iannucci, SVP, Head of Nokia Research Center, Mobile Mash-Up,
April 24, 2007 Santa Clara, CA, USA
[19]. Why Open Source software can succeed, Andrea Bonaccorsi, Cristina
Rossi, Laboratory of Economics and Management, Sant’Anna School of
Advanced Studies, Piazza Martiri per la Libertà 33, 56127, Pisa, Italy
[20] Karl Fogel, Producing Open Source Software, http://producingoss.com/
[21] http://schlitt.info/applications/blog/index.php?/ archives/541-10-golden-
rules-for-starting-with-open-source.html
[22] http://greg.chiaraquartet.net/archives/171-10-golden-rules-for-running-an-
open-source-project.html

49. 47
APPENDIX 1:
Example of the Company authorized contributor exam (1/5)
Congratulations!
You’ve decided to utilize your skills and knowledge as an authorized contributor
of the Company.
According to the Company Open Source contribution policy you need to
successfully pass this exam before you are able to contribute as a Company
employee.
By passing this exam you have showed that you are aware on certain (listed)
polices, processes and procedures of the Company and you are legible to the
certain (listed) privileges as an authorized contributor.
You will have ½ hour for the exam. You are allowed to make 1 mistake.
Good luck for the exam.
Please complete your personal information:
Name: ____________________________
Company Id #: ______________________
Place and Date: _____________________
If know already
Communities of interest:______________
__________________________________

50. 48
APPENDIX 1. (2/5)
1. Which of the following statements are TRUE according the Company
OSS Policy and process? Please circle the answer(s) you deem are
correct.
a) Open Source developers are untrustworthy and unreliable
b) All the purely SW related questions must be answered, if the
answer is known
c) Working with the community can risk Company patents
d) One should never work on the competitors community
2. Which of the following are TRUE when categorization an OSS project
according the Company OSS process? Please circle the answer(s) you
deem are correct.
a) The amount of code contributed by the Company employees
b) The cost of the Internal Analysis
c) The IPR risk intensity
d) The person who is leading the OSS project / Community
3. Which of the following contribution type(s) implies the creation of a new
OS project according the Company OSS process? Please circle the
answer(s) you deem are correct.
a) Pre-cleared contribution
b) New contribution
c) Derivated contribution
d) Minor contribution
e) Major contribution

51. 49
APPENDIX 1. (3/5)
4. Based on your answer above, which analysis are mandatory for that type
of contribution. Please circle the answer(s) you deem are correct.
a) Only the IPR analysis
b) Applied Internal analysis
c) Member of the Board analysis and approval
d) No analysis when contributing
5. Which of three following are considered as a possible legal risk when
making a contribution? Please circle the answer(s) you deem are correct.
a) Dealing with the Company/Partner/Supplier trade secrets
b) Ensuring compliance with the commercial agreements
c) Non-existence of the indemnification or other contractual
protection
d) All above
6. Which factors are the most important when analyzing OS technology to
be added into the Company product? 1= most important ….4 = least
important
a) The publicity for the Company brand
b) Size of the Company investment
c) Differention possibility
d) Competitor presence

52. 50
APPENDIX 1. (4/5)
7. Please explain the key differences between
a) Copyright and Patent
b) GPL and BSD license
c) Private contributor and Company authorized contributor

53. 51
APPENDIX 1. (5/5)
8. Please identify four risk categories when using OSS and explore them a
bit why they are so risky for the Company?
a)
b)
c)
d)