This section considers mostly technical factors you
should consider when looking at what the software vendor actually supplies to
the escrow business. The objective here is simple - usability. In other words
if you get the software source code out of escrow, can you actually do what you
expect with it ?.
No software stands completely alone. At the very
least it requires an operating system (O/S) on which to run. The line between
‘application’ and ‘operating system / support’ software is
increasingly blurred - software applications invoke lower-level
functions/services in various ways. The vendor may also have used (with or
without a formal license) software components from another vendor that they
transparently bundle in to the software they deliver to you.
The key thing here is to tie the scope of what is put
in escrow to the contents of what you use for each release of software by the
vendor. The scope here is relatively easy to define if you receive discreet
releases e.g. computer media or zip files over the Internet and installation
instructions with each software release. Here the scope is what you physically
receive with each release. You may not receive physical releases if you, for
example, use the software on an outsourced or externally-hosted basis (e.g.
software as a service). Either way, you need to correlate the source code with
the object code you start using with each release of the software. You need to
take into account partial releases. For example if you receive ‘dot’
releases or patches, you need to know that you always have in escrow what
amounts to a complete cumulative release.
You should end up agreeing what constitutes each
‘full release’ with the software vendor. It is a good idea if what is
put in escrow is the full release plus the matching source code items. That
way, you can quickly reconcile both software source and executables if you ever
need to use the escrow contents in a hurry.
| Question |
Notes |
| When are items put into escrow ? |
The escrow business typically confirms to both
you and the software vendor when it receives new items to put into escrow. The
software vendor should commit to a schedule here e.g. escrow contents updated
“.. within X hours/days of a major software release or change of
development environment, within Y hours/days of a minor
release...”. |
| Are there any items in the release for which
there is no source code in escrow ? |
The vendor may bundle into the release source or
object code they do not own outright. You need to know if what is in escrow
covers that as well. Some items in the release may be readily available (open
source or already licensed to you directly). You need to know what those items
are. |
| Are all the items in escrow free for us to use
per the escrow agreement ? |
If there are 3rd-party source/objects in escrow,
the suppliers of those may think their use is limited to the software vendor
only. For example, the source/objects are licensed. If you directly use the
items, it could be viewed as unlicensed/unauthorized use. |
| Can we extract the release from escrow and
compare to what we currently use ? |
If you can periodically get the release contents
- excluding source code - from escrow and compare to the contents of the
release you are currently running, this provides a good sanity check that the
release held in escrow is complete and uptodate. Whether the source code in
escrow matches the release in escrow is a different issue. |
| Can we sample the source code held in escrow
? |
The escrow business may know little about
software technology. They are unable to look at lines of source code and know
what it is they are looking at. If you want to have a look at some of the
source code, you have to agree with the software vendor how that happens. This
may involve using a new third-party e.g. an independent IT consultant. For
example, the escrow company provides a list of computer files it holds. The IT
consultant - in agreement with the software vendor - picks 10%-20% of the
computer files to review. The IT consultant then reports back to both you and
the software vendor. |
| What do we need to use the source code we get
from escrow ? |
There is not much point in getting the source
code from escrow if you don’t know what to do with it. For example the
software vendor may have a development environment (compilers and other
development tools, multiple computers for development and testing etc.) that
your business will find difficult to replicate. You need some clues upfront as
to what you need to do if you receive the source code from escrow -
particularly if the vendor is unable or unwilling to help you at a later
date. |
| How do we verify the technical usability of what
is held in escrow ? |
The escrow business may offer a service here -
from a basic inspection of escrow contents to full verification of escrow
contents. See the preceding section of this Web site. You may want to agree
with the vendor separate steps for confirming the usability of what is held in
escrow. |
| Can we modify the source code we get from escrow
? |
Apart from recompiling the source code, you may
want to extend it - for example to add features that the vendor is no longer
willing or able to provide. |
| Is there any restriction on our employing your
personnel ? |
If your relationship with the software vendor
breaks down completely, you may need help to use the contents of what you
retrieve from escrow. One option is to recruit someone from the vendor to join
your business. You need to know if that option is limited in any way. |
One major further question “What triggers
release of full escrow contents to us ?” is addressed in the next
section.
