With the increase in popularity of open-source software, developers can access source codes, make modifications, and redistribute the modified code. But here’s the crux: every bit of software has an associated license! For personal projects, it is not necessary to have a really good understanding of the various open-source license types. However, if the modified code is to be used for commercial projects, there can be legal implications if the license permissions are not strictly observed.
For example, a client, for whom the application or platform has been built, may go on to sell that solution with their customers. Typically, the client will perform an open-source audit or ‘scan’, to identify any open-source license permission infringements. Licensing violations may begin as an honest oversight, but are often as a result of misunderstanding or misinterpreting license types from the outset.
Therefore, being familiar with the different open-source software license types before deploying, is the critical first step in avoiding the potential pitfalls of using incorrect licenses.
Understanding ‘Free’ Versus ‘Freedom’
What comes to mind when you hear the phrase Free and Open-Source Software (FOSS)? You’d be forgiven for thinking it implies you can obtain it ‘at no cost’, or use the software ‘as-is’ with no implications. But remember our opening statement: all software has an associated license.
While the term ‘open-source’ reflects the software is openly available for modifications or enhancements, the ‘free’ in FOSS means the open-source license grants you one of four ‘freedoms’: studied
|Freedom 1: USE||FOSS can be used for any private or commercial purpose, and is free of restrictions|
|Freedom 2: SHARE||FOSS can be shared and copied with practically no associated costs|
|Freedom 3: STUDY||FOSS and its source code can be reviewed by anyone, without restrictions such as NDAs|
|Freedom 4: IMPROVE||FOSS can be modified by anyone, with the ability to publicly distribute the improved derivatives|
Now we have clarified the different FOSS freedoms, let’s examine the different open-source license types.
Types of Open-Source Software Licenses
We’re all familiar with the term ‘copyright’, where the software owner holds the exclusive rights to use, copy, or distribute creative work to other users or third parties. As such, copyright software falls outside the realms of open-source evolution. However, open-source software license types fall into two different categories: copyleft and permissive.
In contrast to copyright, ‘copyleft’ comes with certain restrictions but does grant certain permissions to use the software. In other words, an arrangement is made whereby source code may be used, modified, and distributed freely provided that certain conditions are met. Furthermore, all modified versions used for commercial purposes will be restricted by the same conditions and cannot be sub-licensed as a different license type. Examples of copyleft licenses include GPL v2/v3 (which both fall within the GNU family), and Mozilla.
The ‘permissive’ license type goes one step further by providing a much wider range of permissions and is more open to be used by anyone. In this case, modified versions and derivatives can be sub-licensed as a different license type, for example, making the derivative software copyleft. Examples of permissive licenses include Apache 2.0, MIT and BSD.
Global Trends in Open-Source License Type Usage
Globally, 96% of mission critical workloads are using enterprise open-source licenses, but the choice of license type will depend on what developers want to achieve. Previously, an open source copyleft license was a great step forward in enabling access to, modification, and distribution of source code, but that was where the process ended.
The whole ethos behind open source was to encourage more sharing and distribution between developers. For example, the modified source code is also open-sourced, so that the community of contributors could make further enhancements or improvements, and make those accessible, and so on.
This started to create a snowball effect until a critical mass was reached, at which point the less restrictive permissive license was firmly established. And over the last eight to nine years, WhiteSource research showed the use of copyleft licenses has steadily decreased, as permissive licenses gain in popularity year on year.
Of the top open-source licenses available, Apache 2.0 is by far the most popular, closely followed by MIT (Fig.2). As mentioned above, they are both permissive licenses, so neither one is subject to copyleft limitations or provisions. In addition, both licenses are compatible with other software licenses – even Apache 2.0 and MIT components can be bundled together.
Available Licenses: A Deep Dive
Each open-source license, permissive or copyleft, will have certain permissions, conditions and limitations of use which must be observed.
- Permissions relate to whether or not it can be used for commercial purposes, whether modification is possible, and if you can patent the modified version. It also defines whether it permits distribution of source code ‘as-is’ or of modified version, and whether you can use it for private purposes. These permissions will be subject to meeting the conditions.
- Conditions relate to whether you have to open-source your entire software package, even if you have only deployed a small modified section of the original license. It also stipulates whether a derivative must be made open-source, and whether the license and copyright notices need to be displayed. Lastly, the conditions will state the need to preserve the original license and whether you need to document the changes. Even when these conditions are met, there may be some usage limitations.
- Limitations relate to what the license does not cover, in terms of liability and warranty, and whether you can add your own trademark to the derivative. For example, the license provider is not liable for the derivatives used by others, nor would it provide any warranty once modified – the user assumes the responsibility.
Unfortunately, there is no regulatory authority that governs open-source license misuse. If it is discovered that the derivative is not compliant with the license conditions, the license owner can take legal action. Limitations tend to be standard without much deviation, whereas permissions and conditions change all the time. Therefore, to help eliminate any violations, License Compliance Manager tools are available, which can monitor software development projects that intend to use open-source licenses, and alert to any non-compliances.
Imagine this: you’ve developed an innovative customer solution, implementing some great open-source software along the way, only to discover the software had a copyleft license. This project may have been many years in the making, but now it is not possible to copyright your work, it must be made publicly available, and you lose any potential exclusivity rights to generate income from it.
The evolution of open-source software has certainly brought many benefits to entire communities of developers, with some organizations developing solutions based entirely on FOSS. However, knowing what license type is associated with what software is the critical first step to gain better understanding of the long-term implications.
The author of the blog is Ashish Kaushik, CISO, SourceFuse.