Open Source Software: Compliance Basics And Best Practices

HeatherMeekerEditor’s note: Heather Meeker is a shareholder and chair of the IP/IT Licensing and Transactions Group in the international law firm Greenberg Traurig LLP, and a leading authority on open-source software licensing.  

Startups stand on the shoulders of giants, developing proprietary applications on top of a software landscape that heavily leverages open source components. But as the saying goes, free software is not free, and using open source software requires that organizations understand the legal framework of open source.

Failure to follow the licensing conditions for open source software can result in lawsuits, bad public relations, and more. To reduce risk, companies large and small need to have a basic understanding of open source license conditions and have in place an actionable list of best practices that includes seeking legal guidance when necessary.

Open source software users must follow the licensing conditions for each package they are using, including subcomponents. This can be perplexing, as there are hundreds of different open source licenses, each with its own, sometimes unique conditions. The good news is that a majority of open source software is covered by a handful of licenses, and there are just two major license categories: “copyleft” requires developers to make the source code and documentation available; and “permissive” applies minimal conditions, such as author attribution.

Meeker_licensingOrganizations must have a license and compliance strategy in place that fits both categories. This begins with keeping a record of the licensing terms that apply to the open source software you’re using — including subcomponents and dependencies. Once you know what you are using and the licenses that apply to it, you need a strategy for compliance. Some open source software licenses have simple requirements, and some have requirements that are more complex, such as source code delivery. Your strategy needs to handle such requirements in a streamlined process.

For example, all open source software licenses have notice requirements. If you distribute a product that includes open source software, the notice requirements may instruct you to deliver a simple copyright notice – or even the entire text of the license that governs the software – with your product. While notice requirements are usually not difficult to understand, complying with them can be time-consuming – and challenging when you’re on a product release deadline. Copyleft licenses go further and limit the way developers can integrate the open source software with proprietary software. They also require an offer of source code and build documentation every time you deliver a binary.

Many companies have come to realize that managing the use of open source without automation diverts business, technical and legal resources, which is part of the true cost of free software. The last decade has seen an evolution of automated tools to help identify, track, and manage the use of open source software.  The best tools can help manage use of software in an integrated way, not focusing on open source or proprietary software to the exclusion of the other.

One such approach is Component Lifecycle Management (CLM). CLM is the process of providing developers with collaborative tools, intelligence, and control at every phase of the application lifecycle that addresses the management of licensing risk for component-based development. CLM products, such as Insight from Sonatype, provide a set of software management tools designed to help organizations incorporate CLM practices easily into their development processes. For instance, such tools enable organizations to select appropriate licensed components during design and development; identify and manage component licensing during the build phase to address issues quickly and avoid costly rework; and scan existing applications to identify licenses and dependencies, so you can assess these against corporate policy.

Open source licensing can be complex and confusing if you are accustomed to living in the world of proprietary licensing. So when it comes to evaluating the legal conditions for use of open source software components, don’t hesitate to ask for help. Look to legal experts to help you understand how to combine open source software under different licenses and properly prepare for a product launch or acquisition/exit transactions.