Top open source licenses and legal risk
Open source licenses arelicenses that comply with the Open Source Definition —they allowsoftware to be freely used, modified, and shared. A software developer probablyuses open source components and libraries to build software. The main problem in thiscontext is that open source licenses are subjective. Their interpretationdepends on the technical usage of the licensed software. Therefore, it’sdifficult to determine the legal risks of using open source software,especially for developers, who are not usually legal experts. But the legalteam don't want to deal with Open Source licensing and copyright chaos.
Types of OSI approved licenses:· Apache License 2.0· BSD 3-Clause "New" or "Revised" license· BSD 2-Clause "Simplified" or "FreeBSD" license· GNU General Public License (GPL) v3.0· GNU Library or "Lesser" General Public License (LGPL)· MIT license· Mozilla Public License 2.0· Common Development and Distribution License· Eclipse Public License version 2.0· Creative Common License
More Details about some of the Licenses:****GNU General Public License(Risk – High, Usage – 18%)· Copy the Software: There’s no limit to where you can copy that code.Copy it on your own server, on your client’s server, on your localworkstations, wherever and howsoever many times.· Distribution: You can distribute it in your thumb or hard drives, youcan distribute the code under this license with a download link on yourwebsite, you can print out the code on paper, whatever form of distribution youwant.· Charge a Fee: You can charge someone for the software but remember togive them a copy of GNU GPL which would tell them that they could get thesoftware free from elsewhere. This also gives a chance for you to tell them whyyou are charging for it.· Change the Codebase Howsoever: If you want to fork the project andmake changes to it, you can. Remove or add features howsoever you want. Theonly condition is that your project should also be released under GNU GPL.· It is important to know the distinction between source and binary distributions.There are some constraints regarding releasing applications under each other.Also, if a project uses GNU GPL license, it must comply with some standardrules of commenting parts of license requirements inside the code itself.
GNU LESSER GENERAL PUBLIC LICENSE (Risk – High, Usage – 4%)· It grants fewer right to work than GNU GPL. It’s generally appropriate forlibraries and projects that want to allow linking from non-GPL andnon-open-source software. GPL requires any other project or source that isusing the project under GPL to also be licensed as GPL; GPL licensed code can’tbe used for paid and proprietary software. LGPL cancels it out by not requiringother projects with parts of the code to be similarly licensed.
BSD License (Risk – Low, Usage – 6%)· BSD license is a part of a family of free software licenses that have muchfewer restrictions in distribution as compared to other free software licenses.Two important versions are:· The New BSD License / The New Modified BSD License· The Simplified BSD License / FreeBSD License· Both have been accepted as open source licenses by the Open SourceInitiative.· The New BSD License (known as the “3-clause license”) allows unlimitedredistribution for any purpose, so as long as the copyrights and disclaimers ofwarranty of the license are maintained. This license has an interestingrequirement. It contains a phrase restricting the use of contributors’names for endorsements of a derived work without specific permissions. Itbasically means that if someone has forked some famous person’s code and madechanges to make a new project, s/he can’t use that person’s name to endorse it.The primary difference between the New and the Simplified BSD License is thatsimplified BSD license omits this clause.
MIT LICENSE (Risk – Low, Usage – 32%)· It’s the shortest and perhaps most used of all the popular open sourcelicenses. Its terms are loose and more open than most others. The main givingof this license is:· Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the “Software”), todeal in the Software without restriction, including without limitation therights to use, copy, modify, merge, publish, distribute, sublicense, and/or sellcopies of the Software, and to permit persons to whom the Software is furnishedto do so, subject to the following conditions:· The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software.· This basically means that you can use, copy, and modify the softwarehowever you want. No one can prevent you from using it in any otherproject. You can give the software under it for free or sell it. Norestrictions on distribution howsoever. Anyone can do whatever one fancies withthe code licensed under MIT license, if it’s accompanied by the license.
APACHE LICENSE (Risk – Low, Usage – 14%)· Apache License version 2.0 rights can be applied to both copyrights andpatents. Some of the licenses can be applied only to copyrights and notpatents. Some details of Apache License:· Rights are Never Ending: Once the rights under Apache License havebeen granted, you can continue to use them forever, there’s no need of renewingit.· Worldwide Authority of Rights: Even if rights are granted for onecountry, automatically, they’re granted in all countries.· Rights for No Fee or Royalty: No charge, neither up front nor perusage or on any other basis applicable.· Rights are Irrevocable: No can ever say to you that your derivative ofthe code that was licensed under this license can’t be in use anymore (A clausein the license states that if you sue someone over patent infringement onanything under this license, then your license is terminated, but that onlyapplies to patented work, and as long as you don’t sue anyone over the work,you won’t have to worry about it).· Redistribution of the code has requirements, mainly related to propercredit to those who’ve worked on the code and maintaining the license.
ManagingOpen Source License RiskWhitesource automates the entire process of opensource component selection, approval and management, including detection andremediation of security and compliance issues. Whitesource Prioritize usesgroundbreaking new technology to enable organizations to check if and how theirsoftware projects are affected by employed open source software components thatare reported to have security vulnerabilities. It integrates with all stages ofyour software development lifecycle (SDLC) to alert in real time and help youfix issues faster and easier.