Open Source Compliance: The Carrot and the Stick

Open source has become central in how companies develop software products as it dramatically reduces time to market. The surprising thing is that, despite its high usage and popularity, many people in our industry are still nervous when it comes to using open source.  Especially around open source compliance.

This hesitance comes mainly due to the misunderstanding how open source compliance is enforced. So, what can we as a community do to allay their fears and promote the benefits of open source compliance?

Temenos Automates Their Manual Workflows

to Increase Agility

Litigation’s Role in Open Source Compliance

An open source license is a legal agreement the user automatically accepts once they use a component in their software. Complying with the open source licenses of components is one of the central ideas behind open source. If open source users don’t follow the legal contract the author has attached to their code, then there will be no future for open source. This is because individuals and organizations will stop sharing their code, as the trust between authors and users will have broken down.

Complying with a license can mean accrediting the original author of a component, stating any modifications you made and even, in the case of the copyleft licenses, disclosing your source code. Yet, one thing’s for sure. No matter which open source licenses you use, there are certain things you need to do.

The question that has been on the table ever since the dawn of open source, is how should open source compliance be enforced? What should litigation’s role be when it comes to open source compliance?

Promoting License Compliance

I’m sure many agree that the open source community’s goal is to improve the quality of open source code by increasing both the amount of code released, and its usage.

In my opinion, this goal can’t be achieved if authors of code view litigation as a tool to enforce open source compliance. We, as a community, need to convince open source users that license compliance improves the quality of open source offerings freely available to them. This task cannot be achieved through fear of litigation.

I should also point out that that I do believe litigation does have a role to play when it comes to license compliance, but only in extreme cases where companies in breach of licenses are unresponsive. As Eben Moglen, president of the Software Freedom Law Centerstated regarding BusyBox case he filed in 2009  “we thought that people you can’t contact, people you can’t get to answer the phone, people who will never spontaneously comply—they won’t even answer your mail—maybe they’re the right people to make an example of, and only then should you sue”.

In the same speech, Moglen goes on and explains that the night before he filed the BusyBox lawsuit, he finally managed to contact the general counsel of one of the organizations he was planning to sue. Consequently, once the general counsel assured Moglen that his organization would fix the issues, his organization was dropped from the lawsuit.

Moglen did this because he, like many other contributors in our community, believes compliance cannot be achieved through litigation.

Risks of Getting Lawyers Involved

Additionally, authors choosing litigation should be aware that losing is always a possibility. Just as happened with BusyBox vs VMware, where the court came out in favor of VMware, as they claimed BusyBox didn’t specify the lines of its code which the defendant had allegedly used. Therefore, the community could end up damaging the credibility of the cause they’re trying to protect, namely motivating users to comply with open source licenses.

Either way, the sheer cost of litigation makes it impossible to sue every time the community suspects someone of infringement. More importantly, if the community is too quick to resort to lawyers, people will become too afraid to use open source altogether.

So, if coercion isn’t the best way to promote open source license compliance, what is?

What Should Happen When Licenses Are Breached?

As I said above, you don’t convince people by scaring them. Instead, users need to be reassured that as long as they stay open to resolving cases of infringement amicably, they will not get sued. Ever.

The recent WordPress vs Wix fiasco offers us a great example of what an author should do when they notice another company is using their open source project not per the license they chose. Without getting any lawyers involved, Automattic CEO, posted an article with a harsh accusation that Wix used a project they released under the GPLv2 license with an MIT license instead. Within days Wix fixed the issues, but they suffered a major PR hit.

This case showed us all when commercial organizations do infringe, the community benefits if authors don’t view it as a money-making exercise. But rather an opportunity to reach out and educate people how to use, contribute and comply with open source effectively.

Contributors Are Also At Fault…

However, with all this talk of license infringement by users, we also need to take a closer look within our community and ask how we can improve open source license compliance.

Currently, around 80% of code published on GitHub is unlicensed. If code doesn’t have an open source license, it’s not open source. This means it’s still protected by copyright laws, and it cannot be used by commercial entities in their software products.

The big problem is that majority of users don’t know this, and believe that if there’s no open source license – it’s free to use with no limitations or obligations.

Authors publishing code on GitHub with no open source license are not only damaging open source’s credibility, but they’re also putting companies at risk of infringing copyrighted code.

Bringing Order to The Open Source Bazaar

Open source compliance is critical for the continued growth of the open source community. It brings order to the open source bazaar, but it doesn’t necessarily mean we need to get the law involved as well.

We, contributors and users, should remember that the largest contributors today to open source are commercial enterprises. Subsequently, without the order open source licenses guarantee, they would have no control how their code is used, and so they may be less likely to share their work with us. So, for the sake of open source’s prosperity, we should all give open source licenses the attention they deserve.