Are you on top of: open source software?

Understand what is used

The most fundamental aspect of open source software licence compliance is to know which open source software components are used and which licence terms and conditions are applicable. A single code base often contains several hundred open source software components. Moreover, code is something that changes over time. It can thus be difficult to keep an accurate record manually. If an updated register of the open source software used is not kept, it may be necessary to carry out a software scan of the company's source code.

Understand what the licence terms and conditions mean

In general, an open source software licence is characterised by the fact that the licensee is granted a broad licence to use, copy, modify and distribute the software conditioned upon that the licensee complies with certain requirements. The requirements that the licensee needs to comply with depend on which open source software licence is applicable.

Pay attention to ‘copyleft’

If you want to be able to commercialise your proprietary software, you should avoid using open source software that is subject to “strong” or “ultra-strong” copyleft license terms – such as GNU GPL v.2, GNU GPL v.3 and Affero GPL.

If the proprietary software is combined with or created from open source software components licensed under “strong” or “ultra-strong” copyleft license terms, the proprietary software must, upon distribution (or, in some cases, upon making available the software over a network),  be further licensed under the same copyleft license terms. This may involve, inter alia, an obligation on the licensee to disclose not only the source code of the open source software, but also the source code of its proprietary code, in order  not to violate the terms of the open source software licensed under such copyleft license terms. This is what is sometimes referred to as the "viral effect" of some open source software licences.

Don’t forget the more formalistic requirements

A common misconception about open source software is that as long as you avoid open source licences that are subject to "strong" or "ultra-strong" copyleft, the risks of using open source software are limited. However, it is not quite that simple.

As a matter of fact, most open source software licence terms and conditions impose requirements of a more formalistic nature which are triggered upon distribution of the software, such as requiring the licensee to mention the author, include a copyright notice, include a copy of the open source software license terms and/or  a disclaimer of warranties for open source software. While these requirements are often possible to fulfil in practice, it may be administratively burdensome to do so afterwards, and especially if a large number of open source software components have been used.

Understand how the software is provided

A key aspect in terms of open source software license compliance is to understand how the software that includes open source software components is provided. To solely use open source software internally and not distribute any software to a third party does not normally pose a problem. This is because the obligations of most open source software licences are triggered first when the software is distributed.

That said, it can be difficult to determine whether a particular use case constitutes distribution within the meaning of the relevant open source software licence terms and conditions. When open source software is used in software that is in some way provided to third parties, it is therefore important to consider the question of distribution.

Maintain the software

In order to protect one’s code against unauthorised access, etc., it is important to ensure that one’s source code is maintained and that updates and patches are installed to address known vulnerabilities, etc. When purchasing commercial software, the licensor will vis-à-vis the licensee often assume responsibility for software updates and maintenance. However, with open source software,  the licensee itself is responsible for updating and maintaining the open source software components used. This places stringent demands on the licensee to have processes in place to manage security and maintenance issues.

In order to manage the risks of using open source software, it is good to have procedures in place. Such procedures could include that you:

• Establish an open source software policy appropriate for your business organisation. Most open source software policies usually include the following:
  • Which open source software licences are always/sometimes/never permitted?
  • Who should authorise the use of open source software in the business?
  • How and where can open source software be used?
  • How will you work to ensure that open source software is used in accordance with the licence terms?
    
    
• Perform regular scans of your source code.There are several companies which perform scans of source code in order to identify licence risks, security risks and vulnerabilities. In  M&A transactions, it is increasingly common for investors or buyers to request such a scan of the company's source code to identify the software used. By performing regular scans yourself, you will increase your ability to detect and manage potential risks in good time.
• Prepare a register(manually or with the help of automated tools) in respect of the open source software components which are used in your operations/products, including the licence terms and conditions that are applicable. Automated tools can also help to create so-called licence notices.

• Check your business model! Do you distribute your software or do you rely upon the fact that the software is only made available over a network (SaaS)? Your choice of business model dictates which other open source software practices you need to have in place.

Feel free to contact us with your open source related questions.