At Rogue Wave Software, we have been conducting open source software (OSS) audits for customers for over six years. And for several years prior, we assisted companies in the development of their open source policies and support strategies.
I find it interesting that there have been indications that over the last 15 years, there has been a trend towards permissive licenses and away from copyleft licenses, like the GNU General Public License. And the trend has even been corroborated with data analysis.
Clearly there are two key perspectives on this trend:
1) The types of licenses that OSS developers choose for their projects
2) The types of licenses that commercial developers choose when picking OSS for use in their application development
And, while these choices are linked, I think the OSS developer choice does not necessarily drive the choices made by businesses.
Explaining the copyleft vs. permissive trend
As development languages and frameworks rise and fall, the trend can largely be explained by a larger pool of new projects under permissive licenses (perspective 1: OSS developers use more permissive licenses and are moving away from choosing copyleft licenses for projects). However, until the underpinnings of application development change, things like databases, operating systems and frameworks, the fundamental core components under copyleft licenses will basically stay the same (perspective 2: commercial developers continue to use copyleft OSS and don’t or can’t necessarily move away from them). The ratio will undoubtedly change to give the impression that people are moving away from copyleft, while they are actually just using more permissive-licensed components.
However, with all this said, we have seen one aspect of OSS license use that has stayed constant among commercial developers. When we perform an audit, our customers are not chomping at the bit to find out what OSS they use, or if we find some snippet match or OSS project they didn’t know they had, they want to know what risk that creates for them.
Which one is right for you?
For the experienced customer, such as large organizations that consider an OSS audit part of their standard M&A due diligence process, they ask, “where is our greatest risk and what are our issues?” For companies doing audits for the first time, they will naively ask, “are we in compliance?”
Copyleft licenses require more effort when considering compliance. You have to ask (and answer) questions like:
• Are we distributing?
• How does implementation in the cloud affect distribution?
• What is distribution?
• What is a derivative work and have we created a derivative work?
In contrast, permissive licenses allow you to change or add to license terms as long as you comply with the existing terms. And permissive license terms are generally less complicated to comprehend and to meet.
I don’t mean to point out these differences as a form of fear, uncertainty, and doubt, but rather to suggest that the path to seek and use more permissive licenses is driven by a fundamental desire to reduce risk and simplify the use of third-party open source software in the development of commercial software. Why make things more complicated than they need to be?
OSS development and use of OSS continues to grow at an astounding rate. In the beginning, a large percentage of OSS came from the GNU project. Today, data suggests that OSS is more often than not introduced under permissive licenses. But the GNU components and other core components under copyleft license still play a huge role in the development of commercial software. Smart commercial developers educate themselves and comply with OSS licenses, but who, if given a choice wouldn’t take the easier path?