Open source technology is simply an evolved class of licensing
under which wider, more permissive rights are given to users.
Crucially, access to source code is given enabling user support and
development of the code. While the open source philosophy
originated in California, with frankly a long-haired approach, the
model is now effectively mainstream and competes with conventional
closed source licensing models (the 2008 Sun/MySQL and Symbian
deals demonstrate the popularity of open source).
Buying and selling open source businesses
Successful technology merger and acquisitions (M&A) is
typified by a meeting of minds around value and risk. Some of the
unique open source risks include:
- Control over
intellectual property rights (IPR) - if the target's products
contain third-party open source technology, it is virtually certain
that there will be gaps in IPR assurance - open source licenses
typically disclaim any IPR non-infringement warranties or
indemnities.
- Licence non-compliance or lack of process - as a buyer, it is
safer to have a working assumption that the target is unlikely to
have a strong licence compliance process and, therefore, breach of
licence terms or IPR infringement is more likely to be a material
risk for a heavy user of open source.
- Copyleft: the notorious risk - open source is licensed under a
range of publicly available licence types which are classed as open
source licences because they share a range of characteristics.
However, within this class, licences range from simple or benign
(BSD) to viral (GPL v2/3). The GPL licence tends to be the most
popular form but contains tough obligations. If the user
distributes product that contains or is derived from GPL v2 code,
this distribution must be done at no cost on the terms of the
General Public License, Version 2 (GPLv2). So if you buy a business
and want to combine the target's code base with your own, if the
target code is GPLv2, this could force the buyer to licence its
code at no cost on an open source basis - this is no legal theory,
this happens.
Dealing with open source M&A risk
The conventional due diligence and warranty approach still works
but also think about:
- does the target have an open source policy - is it
followed?
- can it define the scope of its usage?
- what open source is present, can it be listed?
- has the target had any correspondence with the open source or
free software "community" (who actively police open source
licences)?
If there is a viral licence which could trigger a copyleft issue
then it is vital this is analysed from a legal and technical
perspective to see if the buyer's plans for that product are
consistent with the open source licence obligation.
Code scanning - the new due diligence
Technical organisations such as
Black Duck are now emerging to provide source code scanning
services to identify open source and the associated licence terms.
Once identified, a risk assessment can be carried out prior to the
transaction closing. Code scanners provide an effective way of
understanding the nature of core software assets in a target's
business and this process sits well alongside traditional IP due
diligence.
Making sense of open source
Open source is not inherently risky - it should be treated like
any other diligence issue. Provided buyer and seller understand the
issues pre-transaction and reflect this in the transaction terms,
there is no reason why open source should negatively impact a
transaction. However, as in-depth knowledge of open source seems
patchy at present, there remains the possibility of problems for
the ignorant buyer.