This is the second of five posts in a series called Open Source in Software Procurement. Click here for the first/introductory post.
Open source software is software licensed (a) with its source code included and (b) with the right to modify and redistribute. What’s wrong with that? Nothing. Concerns about OSS arise on two fronts. First, some people think it offers less security than traditional commercial software. Second, there’s a flavor of open source called “copyleft” – a.k.a. “viral open source software” – and that does create legal problems, though not for everyone.
Open source licensing is complex, and this post only summarizes it it. For more, see The Tech Contracts Handbook, Appendix 2.
Some professional think OSS is less secure because anyone can see its source code, including hackers. So if your software includes open source code, hackers might know how to hack it.
Many IT professionals dispute that idea. We’ll consider it controversial but still address security concerns under part 5, Security — to be posted soon.
Copyelft Open Source Software
Open source licenses are either permissive or copyleft. Those terms describe the licensee’s rights to redistribute the software. Permissive licenses don’t restrict redistribution — at least, not much. Most permissive licenses just require that the licensee include various disclaimers when it redistributes. So permissive OSS doesn’t create meaningful legal problems for the licensee. (The permissive licenses include the BSD and MIT licenses, for “Berkeley Software Distribution” and “Massachusetts Institute of Technology.”)
Just to be clear, when I talk about the “licensee,” I mean a company receiving OSS from its vendor, usually as part of a larger product. That company/licensee might not know about the open source license (whether it’s permissive or copyleft). The OSS could be buried in the vendor’s product, along with its license.
Unlike permissive licenses, copyleft licenses create real problems for licensees — at least, for some. “Copyleft” is a play on the word “copyright.” It turns copyright around by requiring freedom to copy — through some unusual license terms. If the licensee redistributes the software, it has to give its customers the source code and the right to modify and distribute. In other words, if you redistribute, you have to use the open source model. (The best-known copyleft license is the General Public license, or GPL, from the Free Software Foundation — also called the GNU GPL.)
The problem gets worse from there. If the copyleft software becomes part of a larger software product, and the licensee distributes that product, it has to distribute the whole thing as open source software. So just by including a little bit of copyleft-licensed code in your software product, you’ve “infected” it with an obligation to use the open source model. Thus, copyleft’s unhappy nickname: “viral open source software.”
When Copyleft Matters
Here’s when copyleft matters to you as the licensee/buyer — and when it doesn’t:
- If you use OSS in-house, copyleft does not matter. You’re not redistributing the software; you’re just using it. So obligations triggered by distribution don’t impact you.
- If you distribute copies of OSS, alone or as part of your software product, copyleft does restrict you. You don’t want copyleft open source software in your system if you don’t want to distribute the whole software product under the open source model.
- If you include OSS in your software-as-a-service (SaaS) offering, copyleft usually does not matter. You’re not redistributing the copyleft software. You’re just running it on your own computers (or your cloud host’s computers) and letting your customers log in and use it. So rules triggered by distribution don’t matter. However, there is a type of copyleft license that does matter to SaaS-providers: the Affero General Public License (AGPL). If your SaaS includes open source software licensed under the AGPL, you have to give your customers source code for the whole product and the right to redistribute. But not much software uses the AGPL. (It’s also possible the AGPL isn’t enforceable under copyright law, which would weaken it, though it would retain some teeth.)
© 2018 by Tech Contracts Academy, LLC. All rights reserved.