Understanding the Categories and Risks of Open Source Licenses

If the software is distributed, companies should be aware of the obligations imposed by individual open-source licenses. Open source components should only be used if the governing licenses are known and the obligations are acceptable within the current context and business model.

Open source licenses can be roughly divided into 3 categories: Licenses with a strong copyleft effect, licenses with a limited or weak copyleft effect, and licenses without a copyleft effect (permissive licenses).

Permissive licenses also have obligations, e.g. the license text must be provided, but they have no impact on other parts of the product. Copyleft licenses, however, can broaden their scope. If copyleft-licensed software is combined with other software, e.g. by copy/paste or linking, the license requires the combination to be also licensed under the copyleft license, and consequently, made open source. Strong copyleft licenses cover all kinds of combinations, while weak/limited copyleft licenses exclude some of them, e.g. linking.

The usage of open-source components under a copyleft license can lead to the fact that the entire software, including the self-developed code, must be made available under a free license.  

Possible Risks of components under Copyleft Licenses
For not respecting the copyleft license obligations, e.g. not providing the full source code of the combination, the consequences can be far-reaching, including preliminary injunctions, delivery stops or recalls, damage payments, profit skimming, unfair competition claims, and criminal charges. Especially for companies whose most valuable asset is their self-developed software, this can become a threat to their existence.

How to handle it

Open-source components with copyleft licenses should only be deployed if the resulting copyleft effect does not extend to code that you want to keep proprietary. To determine if proprietary code is affected by the copyleft effect, an understanding of both the software architecture and the specific copyleft provision of the open-source license is required. Developers should be aware of the copyleft concept, and rules should be defined on how and where such components are allowed to be used. The copyleft effect is triggered by incorporating the snippets into the codebase and often extends to the whole product. Establishing an effective Open Source management system is key to dealing with this, and the other risks associated with the use of open-source software.

BearingPoint Open Source Management Services

BearingPoint Open Source Management Services

Our expertise is dedicated to compliance and risk management across a diverse range of business situations, organizations, and marketplaces so you could gain full transparency on Open Source -specific risks.

Check out our Services

Get in Touch

Talk to our Specialists and learn how our Open-Source Management Services can help your Business.