As we have noted here, open source grew, it proliferated… and it became something that many previously proprietary-only software vendors embraced as a key means of development — but the issue of how open source software is licenced is still the stuff of some debate.
Exec VP at software intelligence company Cast is Rado Nikolov – for his money, the open source licencing debate also has a security element in it.
“Large organisations using open source code from GitHub, xs:code and other sources range from Walmart to NASA, collectively holding billions of pieces of sensitive data. Although open source code packages can be obtained at low or no cost, their various intellectual property and usage stipulations may lead to expensive legal implications if misunderstood or ignored,” said Niklov.
Niklov argues that the crux of the matter lies in the fact that (whatever licencing agreement open source software is brought in under), the most ‘important stipulations’ are often lost over time.
“The case of Artifex v Hancom shows the risk of being held liable for improper use of source code, even when it’s open source. Company executives need to ensure they are covered for the code they use, wherever they get it from. Ignorance of the law is no defence. Regularly using software intelligence for automating the analysis of open source usage is one way to significantly reduce such risk exposures,” said Nikolov.
Ilkka Turunen is global director of solutions architecture at DevSecOps automation company Sonatype.
Turunen reminds that, generally speaking, there are 1001 ways of commercialising open source software — but when releasing open source, the developer has a choice of publishing it under a license that is essentially a contract between them and the end user.
“These licenses vary from fairly restrictive (i.e. must associate where the open source came from and publish source code) to fairly liberal (buy the author a beer if you like the software). It’s important to understand that all open source is licenced under some terms at all times,” said
He notes that there are then several ways of adding commercial components on top of that (above) – and indeed many commercial companies leverage fairly open types to be able to add their own commercial code on top, to be able to spin out other commercial issues.
“Fundamentally, it boils down to open source software licencing being generally hard to [comprehend and] understand. Most devs start these projects as a passion project and just publish it with some basic license they might live to regret later when they consider their options. Fundamentally, this is another avenue for them to gain funding, but would imagine there are limits to the scalability of what can be achieved,” added Turunen.