Image credit: ALM Events

Open source software powers the apps, websites and computer networks that run your world.

It also serves as a gateway that can allow malicious code to enter your organization, download and steal proprietary data, costing you clients and your company its reputation.

If your organization fails to comply with the open source software license requirements associated with the open source software embedded your company’s software programs, it could get sued for monetary damages. The licensor of the code and open source software organizations like the Software Freedom Conservancy, the Software Freedom Law Center and gplviolations might also enforce the open source licenses you use.

Chris Stevenson, open-source software lawyer with DLA Piper Global Law Firm, and Kevin Wang, ceo with Fossa, an open source software compliance solutions provider, discussed the legal obligations of using open source software licenses, various types of open source licenses and how companies should comply with these licenses at the Legalweek NYC Conference in New York City on January 31, 2019.

What is Open Source Software?

“If you are a software company — or maybe even if you’re not a software company — you’re using open source software whether you know it or not,” explained Stevenson.

“But there are a lot of misconceptions about what open source software is. People hear the term ‘open source’ software, they often think software that is free.”

Presentation credit: Stevenson and Wang

The Four Freedoms of Open Source Software

Stevenson said that open source software licenses operate under the following four terms to actually be a piece of open source software:

• The freedom to run the software. “I should be able to get a piece of software, run it the way I want for the purposes I want to use it without restriction.”

• The freedom to study the software. “Look at the software, figure out how it works, figure out why it is doing what it is doing…see the source code…”

• The freedom to redistribute a piece of software that you receive and think it will be beneficial to others. “Under an actual free software license, I should have the right to redistribute that software to other people.”

• The freedom to redistribute your software modifications. (This gets people most worried, said Stevenson). “So, if I get a piece of software, I notice there’s a problem with it, I notice there’s a way it can be improved, I should be able to modify that software and fix that. And I should be able to redistribute it to other people who might also benefit.”

So What?

Presentation credit: Stevenson and Wang

“You need to know what is in your software…You need to create a notice at the very least telling people what open source software is in there,” noted Stevenson after he cited a Gartner Group survey that found over 80 percent of code in software products is open source.

Stevenson also said that open source software contains software vulnerabilities.

“…If you don’t know what it is in there, then you won’t even know if this vulnerability can be fixed.” This could lead to data breaches, costing companies “a lot of money.”

Open source software can enter your organization’s code base if it hires contractors to develop code and if you purchase third party commercial code to which you may not have the source code. “Chances are that has open source in it, as well. So there are all kinds of different ways that open source code can enter your code base. You just have to keep on top of that,” Stevenson said.

He also noted, “If you’re going to sell your company or looking to sell assets of your company, one of the first requests you’re gonna get is ‘tell us the open source software in your software.’ And the answer that you have to be able to have to whoever is asking that question is ‘here is a list of everything we have we know exactly what’s in there.’”

Almost every single open source license requires (at a minimum) companies include copyright notices in their software code explaining the licenses they use.

“Some of the more restrictive licenses know because you’re using open source, because they have these requirements, if you’re not compliant, there is a chance that you’re going to be the target of an action that can come from the open source software community,” Stevenson explained.

What Open Source License Should You Use?

Presentation credit: Stevenson and Wang

BSD, MIT and Apache Licenses

“These are licenses that don’t really ask much of you,” Stevenson shared. “For BSD,MIT, all they’re asking you to do is keep the copyright information in all copies of the software. Let people know what’s in there and provide the text for the license. For Apache, you have to do that and provide the text for the license.”

LGPL and MPL Licenses

LGPL (Library General Public License) and MPL (Mozilla Public License) licenses have the same disclosure obligations as the BSD, MIT and Apache licenses. “…You also have to provide the source code to the open source files. And if you modify that software. So if you go into the source code files, you made modifications to those files or you copy a piece of software from one of those files and paste that into your own file, those are considered modifications that you must then license under the terms of that license.”

GPL and AGPL Licenses

GPL (General Public License) and AGPL (Affero General Public License) licenses include the same requirements as the weaker copyleft licenses (include copyright and license information and the source code.)

“But if you make a different work of a piece of software (which is using a strong copyleft license), which can be incorporating that piece of software into your product in a way that you can’t really separate the two products, it’s a little gray… In some cases merely what you’re linking to a piece of strong copyleft code can create a work based on that product…

That entire code is now is open source. You have to license that under a restrictive copyleft license. You’ve got to provide the source code to your proprietary piece…”

Stevenson emphasized that these licenses are not considered public domain. “But it’s important to know that these are not public domain. A lot of people think that if you’re open source, ‘I can do whatever I want to’…. Know that they’re still licensed to you. Yes and there are obligations that you must comply to. They’re not simply, ‘I can do whatever I want to…’”

How Should You Ensure Your Software is Compliant?

Presentation credit: Stevenson and Wang

“Compliance has to be this continuous thing that you run throughout software development,” said Fossa CEO Kevin Wang after he stated software developers use 10,000 to one million different open software components in their organization, depending on its size.

“And so the best practices that we’ve seen is number one to shift left. And what that means is you got to be proactive. It’s to deal with compliance at the earliest stages of development before developers have invested a lot of resources around using piece of open source,” Wang stated.

“And so I’m gonna enroll them early on the workflow, right when they’re thinking about using a component, thinking about leveraging a piece of open source. That’s when compliance needs to start.

The second really impactful thing that we’ve seen companies do is standardize how they do software testing and software delivery. And so what that means is usually at every single company that you’ll work with, there’s going to be some sort of automated quality control mechanism for how software gets developed or how developers introduce pieces.”

Wang also recommended that organizations have a data-driven policy. “Understanding how open source software gets used inside your organization…”

How to Run an Open Source Code Audit

Wang listed four steps to conducting an open source code audit:

• Define the scope of coverage.
• Run an open source scan.
• Get the results from the scan.
• Generate compliance documentation.