Open Source Software – The License Obligations

Since there are several hundred thousand free, widely used, and well maintained open source packages on the internet, it makes perfect sense to leverage open source whenever possible. If you are a commercial software developer that depends on selling your own software in the marketplace, however, it is important to understand the legal obligations and the legal restrictions that come with your open source license.

The courts have ruled that violating the license obligations in open source is similar to copyright infringement, ie, just because it is free does not mean you can ignore the license obligations.

With most open source licenses, obligations and restrictions in the license only apply if you distribute the open source, i.e., you distribute the binaries associated with the open source inside the binaries that you ship to your customers. If you use the open source software only as a development tool, the obligations posed by the open source typically do not apply.

With most Open Source licenses, the typical obligations center on attribution and re-distribution as well as various restrictions.

Attribution refers to giving credit to the authors and contributors of the open source software.

The requirements can include any of the following:

* do not remove copyrights present in the source code

* insure proper credit in the documentation

* do not imply that the open source authors endorse the commercial product without explicit permission

* clearly mark any modifications made to the open source

* if there is a redistribution requirement, clearly show in the documentation how to get the redistribution;

* in any advertising done for the commercial product, explicitly acknowledge the open source component provider.

Re-distribution refers to making the open source and related components free of charge and available to the public. This is typically done under the same license as the original open source and/or with a compatible license.

This can include the original open source, as well as any changes you make, and sometimes, any software “based on” the open source code. “Based on” is interpreted differently depending on the license.

Some licenses are designed to contaminate commercial software, being viral in nature. They can essentially force you to make all of your own commercial software that is linked to the open source software to also be given away free. These licenses are called “copy-left” licenses, and pose the greatest threat to a commercial software company’s business model.

Common license restrictions can include:

* do not make any modifications to the open source

* do not distribute this open source software without adding value of your own with additional software

* do not remove license text or copyrights in the open source

* do not initiate patent claims against any of the contributors to the open source.

Violating these restrictions can cause the license to be terminated.

While there are many dozen unique licenses, the following discusses some of the common types:

The least restrictive licenses are public domain licenses. Source code provided in the Public Domain are free to use without restriction, i.e., you can use the source code without any attribution or redistribution and you can make modifications and derivative works; and you can distribute any or all of the open source software as you see fit.

These are followed by MIT style licenses, whose name comes from the license template which was created by MIT. In these licenses, the rights are similar to public domain with the only obligation being attribution. This attribution requirement is satisfied by leaving the original copyrights that came with the open source software in place and also providing credit to the open source authors in the end user documentation.

The next common style is the BSD style licenses, which was originally created by the University of Berkeley. The 2nd version of this licenses is similar to the MIT license, with the additional attribution requirement that the commercial software provider cannot use the names of the open source provider as a product endorsement without explicit permission.

The first version of the BSD license also required that in any advertising done for the commercial product, there was an acknowledgement of the open source provider; however, the 2nd version of the BSD license is far more common.

The next common license style is from Apache, which is a large cooperative of open source contributors, with an extensive library of open source software. The Apache 1.1 licenses requirements are very similar to the BSD 2.0 license requirements.

The Apache 2.0 license adds that any modifications to the open source code must be clearly marked with a change log. The Apache 2.0 license also adds an important restriction, the patent non-assert clause, which essentially states that if you initiate patent litigation against any of the authors or contributors who helped create this open source, you can no longer use the open source.

The next common set of licenses is the CPL or Common Public License along with its derivatives such as Eclipse, IBM, and Mozilla Public License. These licenses all have similar obligations to the MIT license, but they also have additional obligations in attribution and redistribution.

The CPL license requires that the commercial software developer has to make the original CPL licensed open source code as well as any changes to that source code made by the commercial developer, available for free. In addition, the commercial software developer has to state in the end user documentation how the user can obtain this open source code along with the changes. Finally, the source code changes made by the commercial developer should be clearly marked. It is important to understand, that nothing in the CPL or its derivatives compels the commercial software developer to give away for free its own code that is packaged in separate modules from the open source software.

The final common set of licenses are the LGPL v2.1 and the GPL 2.0 licenses, which together make up the majority of all of the open source code available on the internet.

The GPL 2.0 license has all the same attribution and re-distribution requirements as the CPL license above. However, the GPL also require any works based on those packages to be offered (re-distributed) under the same “free to the public” terms. Most commercial software companies consider this an unacceptable license for commercial software, because it does drive a change to their basic business model.

The LGPL v2.1 license carries a similar obligation to the GPL 2.0 license but has a more restrictive definition of where the re-distribution obligation applies, which makes it friendlier to commercial companies then the GPL license. For example, any commercial software which is not statically linked to the LGPL licensed package does not require re-distribution.

However, the LGPL license also carries other obligations such as requiring the distributor of any package which includes the LGPL libraries to allow the end user to replace those libraries. This can certainly cause support and packaging issues for the commercial software company.

There are also several dozen unique licenses for individual open source packages. While they can generally be classified as similar to one of the common licenses described above, they often have some unique requirement or feature that needs to be taken into account.

To summarize, open source licenses have requirements in attribution, redistribution, and they can have other requirements as well. Understanding the license obligations, and abiding by them, is the true cost of free open source. It is important to understand and manage these license obligations to avoid the risk of lawsuits and other legal issues.

For more actionable insights into the license obligations of open source come visit our blog at Source Auditor.

Related Open Source Software Articles

Leave a Reply

Your email address will not be published. Required fields are marked *