Understanding Open-Source Licensing

May 27, 2021

Open source licensing isn’t very complicated as license agreements go. Even so, some people find it confusing, and businesses need to pay close attention to how the licenses work. Making a mistake in one direction can result in legal action. Erring in the other direction can keep a business from doing useful things which are entirely legal.

Free vs. open source

There’s a philosophical rift between the “free software” and “open source” movements. A large part of it is rhetorical, but it results in different license terms. Free software advocates insist they mean “free as in freedom,” not “free as in free beer.” They call their claims “copyleft” rather than “copyright.” In practice, some free software licenses are more restrictive than the usual open source licenses. Look at what the license says, not the rhetoric surrounding it.

Sometimes the term FOSS (free and open source software) is used to cover both. This article will use “open source” to include “free software,” except where it’s necessary to point out distinctions.

What you can do

Regardless of their differences, all open source and free software licenses let you view the source code, download it, and build it into your own software products for your own use. You can modify the code if you like. In many cases you can charge for the copies, but you’re competing with free downloading if you do.

This doesn’t necessarily mean you can do anything useful with the code without paying license fees. The open source code may depend on other software that requires a paid license. To make it into operational software, you have to either pay for the license or develop additional software that makes the paid part unnecessary.

With most open source software, you can make changes and publish them as a fork of the original code. If you do, you have to make it available under the same license and make it clear that it’s a derivative of the original source code.

There’s no warranty on the software. The developer may offer support for a price, or you can go to someone else for support.

What you must do

Nearly all open source licenses require that if you distribute a copy of the source code, you have to include a notice of the license. This keeps anyone from giving the impression that it’s their own proprietary code. The requirement also applies to derivative works, such as modified versions of the code and applications that incorporate it. If you publish an application that uses open-source code, you usually have to present a notice to the user that it does. The required form of the notice is different for each license.

The issues come up only if you distribute new source code or object code. If your business uses open source only for internal purposes, it can do what it wants as far as the license is concerned. However, it may be subject to patent claims.

The GNU GPL

The difference between “free” and “open source” licenses comes into view if you use licensed code to build and distribute your own software products. The GNU General Public License (GPL) requires that if you convey a work based on GPL-licensed software, you must release it under the GPL, and the user interface, if any, must say so.

The license defines the term “convey” as providing copies of the software to others. If you run the modified software on a server, either internally or as SaaS, that’s not conveying, and you don’t have to release your source code. However, if you distribute software which uses GPL-licensed libraries, then you have to license it under GPL. This leaves gray areas, such as putting applications on employees’ phones, where legal advice may be necessary.

The Free Software Foundation has taken legal actions against software distributors which have failed to comply, getting some favorable settlements. The legal concern is real.

Software developers need to make sure their contractual obligations to customers don’t conflict with their obligations under the GPL. A business which develops an application and agrees to give the customer full and exclusive rights may not be able to use GPL-licensed libraries.

There is also the LGPL, or Lesser General Public License, which is similar to the GPL except that it doesn’t impose a GPL requirement on other software.

The Gnu Affero General Public License, on the other hand, is stricter than the GPL. It requires that providers of software running on a server (SaaS) make the source code available under the Affero GPL, even if the software isn’t conveyed in the sense which the GPL defines.

Open source and patents

There’s no guarantee that an open-source work is patent-free. If a court rules that an application performs a patented process, then the patent holder is entitled to collect fees for its use. Some patent holders don’t interfere with software that is distributed for free, but others are very strict. Users, as well as distributors, of software can be the target of patent lawsuits.

Before the patents on the MP3 format expired, their holders insisted on payment for all software that created or played the files. One open-source MP3 library, called LAME, was distributed only in source form, on the theory that source code constituted only an “expression” of the format’s algorithms, and thus didn’t infringe on the patent. It was never challenged on this point.

The main risk for users is that software developers may withdraw their product in the face of a patent challenge. This will leave the code unsupported.

The importance of keeping records

Businesses are used to keeping track of licenses on software which they pay for. They need to do the same with open source software as well, to be sure they’re using it legally. One piece of software may have multiple licenses, if it’s made up of components from different developers. Legal rights for further distributing it or for using it to build new code will vary from one license to another.

Companies distributing open source software need to decide what the best form of licensing is. If they want to ensure that their software is used only in other free products, they should issue it under the GNU GPL or something similar. If they want to give others a choice about opening up code that includes it, they should choose a license that allows what they want allowed.

This article is not legal advice. When in doubt, consult with a lawyer.

Get Your FREE Demo of Kiuwan Application Security Today!

Identify and remediate vulnerabilities with fast and efficient scanning and reporting. We are compliant with all security standards and offer tailored packages to mitigate your cyber risk within the SDLC.

Related Posts