Do We Need An Open Source Audit?
Over the past 3 years, we have conducted over 100 open source audits. Almost all of our customers were software developers, who were developing their own software, but had also added in significant open source into their software.
Here are some of the key situations that necessitated an audit:
Company was being acquired – Usually, the acquiring company will audit the seller’s intellectual property. Since the valuation of the company can be driven down by a negative audit result, it is wise to pre-audit your source code, using a professional audit firm. Any issues can be discovered and rectified before the formal audit by the acquirer.
Company is acquiring another company – The acquirer will inherit any IP issues from the seller. Almost all of the larger acquirers will use audit software and a professional audit firm to uncover issues prior to the closing.
Company is a large technology provider and incorporates software from a variety of supply chain participants – The lawsuits have tended to focus on the larger companies with bigger pockets, and the courts have ruled that if a company distribute software provided by someone else, and if that software has licensing issues, the distributor is equally liable as the original supplier. This means that most large technology provider have decided to require audits from their upstream software suppliers.
Company is a software supplier to a larger technology provider. As the technology provider will require an audit, it is often a good idea to do a preliminary audit which will discover and rectify any issues.
Common Open Source License Obligations
Since there are several hundred thousand free, widely used, and well maintained open source packages on the internet, it makes perfect sense to leverage open source whenever possible. If you are a commercial software developer that depends on selling your own software in the marketplace, however, it is important to understand the legal obligations and the legal restrictions that come with your open source license.
With most Open Source licenses, obligations and restrictions in the license only apply if you distribute the open source, i.e., you incorporate the open source inside the source or binaries that you ship to your customers. If you use the open source software only as a tool during the development process, the obligations posed by the open source typically do not apply.
With most Open Source licenses, the typical obligations center on attribution and re-distribution.
Attribution refers to giving credit to the authors and contributors of the open source software, i.e., the commercial software provider that incorporates open source inside, might need to properly give credit to the creators of the open source. The requirements can include none or some of the following: do not remove copyrights in the source code; provide credit in the end user documentation; do not use the open source authors names to endorse the commercial product without permission; clearly mark if you make any modifications to the open source; if there is a redistribution requirement, clearly show in the documentation how to get the redistribution; in any advertising you do for the commercial product, make sure you acknowledge the open source component provider.
Re-distribution refers to making the open source and related components freely available, i.e., free of charge and available to the public. This is typically under the same license as the original open source. This can include the original open source, any modifications you make, and most importantly, any software “based on” the open source code. “Based on” is interpreted differently depending on the license. Some licenses are viral in nature, and by some interpretations essentially force you to make all of your own commercial software that is linked to the open source software to also be given away free. These licenses are also called “copy-left” licenses, and pose the greatest threat to a commercial software company’s business model.
Restrictions depend on the license, but common restrictions include: do not make any modifications to the open source; do not distribute this open source software without adding value of your own with additional software; do not remove copyrights in the open source; do not initiate patent litigation against any of the contributors to the open source on the grounds that something in the open source violates one of your patent claims. Violating these restrictions can cause the license to be terminated.
While there are several hundred unique licenses, the following discusses some of the common types:
The least restrictive licenses are public domain licenses, which are essentially no licenses at all. Source code provide in the Public Domain are free to use without restriction i.e., you can use the source code without any attribution or re-distribution and you can make modifications and derivative works; and you can distribute any or all of the open source software as you see fit.
These are followed by MIT style licenses, so named, because these licenses follow a template created by MIT. In these licenses, the rights are similar to public domain and the only obligation is attribution. For MIT style licenses, this requirement is often satisfied by leaving the original copyrights that came with the open source software in place and also providing credit to the open source authors in the end user documentation.
The next common style is BSD style licenses, originally created by the University of Berkeley, with both an original and a “modified” version of the license available. These licenses are similar to MIT style, with the additional attribution requirement that the commercial software provider cannot use the names of the open source provider as a product endorsement without explicit permission. The original BSD license also required that in any advertising done for the commercial product, there was an acknowledgement of the open source provider; however, the modified BSD license is far more common.
The next common license style is from Apache, which is a large well organized cooperative of open source contributors, with an extensive library of open source software. The Apache 1.1 licenses requirements are very similar to the BSD modified license requirements. The Apache 2.0 license adds that any modifications to the open source code must be clearly marked with a change log. The Apache 2.0 license adds an important restriction, the patent non-assert clause, which essentially states that if you initiate patent litigation against any of the authors or contributors who helped create this open source, you can no longer use the open source.
The next common set of licenses is the Common Public License and its derivatives such as Eclipse Public License, IBM Public License, Mozilla Public License, etc. These licenses all have similar obligations to the MIT license, but they also have additional obligations in attribution and re-distribution. The CPL license requires that the commercial software developer has to make the original CPL licensed open source code as well as any changes to that source code made by the commercial developer, available for free. In addition, the commercial software developer has to state in the end user documentation how the user can obtain this open source code along with the changes. Finally, the source code changes made by the commercial developer should be clearly marked. It is important to understand, that nothing in the CPL or its derivatives compels the commercial software developer to give away for free its own code that is packaged in separate modules from the open source software.
The final common set of licenses are the LGPL v2.1 and the GPL 2.0 licenses, which together make up about 70% of all of the open source code inside sourceforge.net, a well known open source repository.
The GPL 2.0 license has all the same attribution and re-distribution requirements as the CPL license above. However, the GPL also require any works based on those packages to be offered (re-distributed) under the same “free to the public” terms. Most commercial software companies consider this an unacceptable license for commercial software, because it does drive a change to their basic business model.
The LGPL v2.1 license carries a similar obligation to the GPL 2.0license but has a more restrictive definition of where the re-distribution obligation applies, which makes it friendlier to commercial companies then the GPL license. For example, any commercial software which is dynamically linked to the LGPL licensed package does not require re-distribution. However, the LGPL license also carries other obligations such as requiring the distributor of any package which includes the LGPL libraries to allow the end user to replace those libraries. This may conflict with some of the terms of the commercial software package.
There are also several dozen unique licenses for individual open source packages. While they can generally be classified as similar to one of the common licenses described above, they often have some unique requirement or feature that needs to be taken into account.
To summarize, open source licenses center on attribution and re-distribution, although they can have other requirements as well. Understanding these license obligations, and abiding by them, is the true cost of free open source, and it is important to understand and manage these license obligations to avoid legal issues and to safely leverage open source.
When Source Auditor conducts an open source audit, we help our customers identify and understand the technical aspects of their license obligations arising from downloaded open source. When open source packages are identified with terms unacceptable to you, we also suggest alternative implementations to replace those packages.