Staying on Top of Open Source Software Use
Open source software (OSS) is a common building block in today’s commercial software development process. When developers are creating new products or services, they can sometimes save time and money by using open source software components that perform some of the functionality they are looking to incorporate into their own product or service. While open source software is available for free, it is still subject to a license agreement. Unlike commercial software which has terms that are typically reviewed before use, documentation of OSS use and compliance with the terms of the accompanying license agreement is sometimes overlooked due to its ready availability.
Unfortunately, this small oversight can cause big problems down the road for a company, particularly if OSS use is discovered at an inopportune time. For example, a company may be asked about its use of open source software and be required to make representations about its licensing compliance in the midst of due diligence for an acquisition or financing. Investors and acquirers often ask for a list of all OSS incorporated in a product as part of their due diligence requests. If the company has failed to maintain an inventory of such use, it will be forced to scramble in order to respond to the diligence request. Similarly, a company may be in the midst of negotiating a license deal with a potential new customer and learn that the licensee’s procurement process requires documentation of all OSS in the software being licensed. If OSS use is discovered at this point, the deal could be delayed significantly while the OSS use is determined.
Another pitfall of OSS being used unknowingly in a product is the risk of noncompliance with OSS licenses, which may result in the licenses being voided. Ultimately, regardless of the triggering event, the unexpected discovery of OSS can leave a company vulnerable to the loss of time, money or potential business opportunities.
Getting up to speed
If OSS use is suspected, the best course of action is to bring yourself up to date immediately by finding out what, if any, open source software has been included in your product. If answers are needed quickly, such as during a potential acquisition, the fastest way to learn what is in your product is to audit your code base using a reputable open source audit service. There are several open source audit services that can perform a complete scan of your code base and can also help you determine if you are compliant with any discovered license requirements. Although these services are not inexpensive, they can provide fast answers that satisfy diligence requests. Alternatively, you could ask the company’s engineering team to complete a full inventory, assuming time and resources permit handling this work internally.
In the event OSS is present, it is important to take all necessary compliance steps right away. In some cases, these steps may be quite simple, like maintaining copyright notices and providing a copy of the OSS license with any distribution, as required by the MIT License, while other license requirements may be more burdensome, such as releasing any modifications you made to the OSS component. In some cases, you may determine that you do not want to comply with the requirements and need to look for an alternative. This is often the case with “viral” licenses, such as the GNU General Public License Version 2.0, that in some circumstances may require you to release the source code of your whole program, including your propriety code, under the GPL if your code incorporates GPL’d code.
Once the OSS in your product or service is properly documented and the company is compliant with all applicable licenses, you should consider implementing an OSS-specific policy and procedure designed to ensure the list is updated whenever additional OSS components are used, as well as to maintain compliance with the applicable licenses. For instance, a formal reporting and approval process could be implemented which will enable the company to track the use of OSS. Alternatively, many of the open source audit services also provide tools for tracking OSS use.
If you would like to learn more about OSS compliance, please contact Michelle Rosenberg at firstname.lastname@example.org.