Open Source just means free, yes?
No.
Simply being free does not mean a piece of software is Open Source.
The Open Source Initiative have an Open Source Definition, which is:
Putting some software out into the public domain, uncopyrighted and free, may seem like the very definition of Open Source. Anyone can download it, use it, modify it, improve it etc.
However, there’s nothing to stop a 3rd party taking that free software, making a few changes and selling it as their proprietary software. Users who acquire the software via this channel won’t have the freedom of use that the initial author intended – and that is quite often the antithesis of Open Source software.
The concept of Copyleft can be attributed to Richard Stallman who, in his “GNU Manifesto” wrote:
“Everyone will be permitted to modify and redistribute GNU, but no distributor will be allowed to restrict its further redistribution”
However, the origins of the term copyleft (in this regard) can be attributed to his friend and fellow programmer, Don Hopkins.
Anyone creating a derived version of software covered with a “copyleft” license must make their new version available under the same license too.
In its strongest form, a copyleft license places this condition on all the other code that is compiled alongside the open source code, to make the final product. This means if a company used copyleft open source software alongside their proprietary code, they would have to make it all available for free, to comply with the licensing terms.
A high-profile example of a copyleft license is the GNU General Public License (GPL).
However, there are different flavours of Copyleft – some less restrictive than others. For example, the GNU Lesser General Public License (LGPL) uses a compromise form of copyleft, which means it can be used within proprietary software.
Interestingly, because Copyleft is based on Copyright, any Copyleft license must include a Copyright symbol to be fully correct and compliant.
This is often seen as the opposite of Copyleft, as it places minimal requirements on how the software is redistributed.
The Open Source Initiative describes a Permissive license as:
“…a non-copyleft open source license — one that guarantees the freedoms to use, modify, and redistribute, but that permits proprietary derivative works.”
MIT License, BSD License and Apache License are all well known examples of permissive Open Source licenses.
If your company develops software, the Copyleft license is a big reason you must pay attention to what Open Source components are being used.
Say one of your developers find a great piece of software online, which would fit perfectly into the project they’re working on. It’s freely available online and will save weeks of time so they incorporate it and your new program is ready for sale.
However, it transpires the software they downloaded was Copyleft protected. If it’s the strictest form of Copyleft, you may not be allowed to charge your customers for your newly created product.
Assuming you don’t want to give it away for free, the product will need to return to development and have the offending Open Source elements replaced, with either Open Source software sourced under an appropriate license model or components developed by the in-house team.
At the very least this will cause delays, exceeded budgets and missed deadlines. At worst, a public product recall and lawsuits.
Why did the developer do it? It could be:
They all show the need for oversight from the ITAM team. Just as you don’t allow people to do what they feel like with licensing from vendors such as Microsoft and Oracle – the same should be true for Open Source software.
To show that Open Source license terms can require the same level of understanding and translation as proprietary terms, consider this passage from Opensource.org:
“LGPL is not “weak” in the same way MPL is, for example. Code from an LGPL project itself is fully reciprocally licensed at a project level. Any code borrowed from it for other uses as well as any alternative uses of the project itself are expected to be fully licensed under the same LGPL. Within the project itself, LGPL is “strong copyleft” just like GPL code, but the resulting executable does not necessarily have “strong copyleft” requirements – it’s effectively non-reciprocal in many uses.”
It’s easy to see how confusion could occur here!
It’s probably safe to say that most organisations haven’t had controls in place around Open Source use up to now, and that leads to a couple of questions.
There are other questions to consider too:
Another concern around Open Source is its prevalence within 3rd party software solutions, the difficulty in detecting this and the holes this can leave in an organisation’s security defences. That however, is another article for another day!
Open Source Initiative: https://opensource.org
Open Source Definition: https://opensource.org/osd
Copyleft: https://opensource.org/node/875 & https://www.gnu.org/licenses/copyleft.en.html
Free Software Foundation – https://www.fsf.org/licensing/
Open Source ITAM Software – https://itassetmanagement.net/2009/12/02/open-source-itam-software/