For developers, integrating software from open source projects into codebases is a great way to save time and avoid having to reinvent the wheel.
But it also comes with a major challenge: the risk of license infringement. When you reuse open source code, you must comply with one of the many open source licenses govern this code. If you don’t, you (or the company you work for) risk lawsuits for violating open source licenses.
And although such trials are relatively rare, they does it happen – and they may happen more and more often given that many open source projects are now controlled by corporations eager to champion the investment they make in open source communities.
Related: Secure open source software helps businesses find their edge
Keep reading for tips on how to avoid these legal issues if you’re borrowing open source code for your projects.
1. Learn about open source licenses
The most important step in avoiding open source license violation issues is to understand open source licensing.
It’s easy to assume that all open source licenses have the same requirements, or that they all boil down to requiring the source code to remain open. In reality, there are several dozen open source licenses, and their terms vary widely. It’s a big mistake to assume that just because you get code from an open source project, you can reuse it however you want, as long as you keep the source open. You may also need to attribute the original authors, as an example of a common – but easily overlooked – requirement of some open source licenses.
So, before choosing to use open source, learn the basics of open source licensing and understand the nuances and diversity between them.
2. Document when using Open Source
A second best practice for borrowing open source code is to establish a consistent process for documenting when you do so.
It’s quite easy to import a module or copy and paste code from GitHub. But if you don’t record where that code comes from or what license governs it, you can easily lose sight of where and how you integrate open source into your code base. It also becomes more difficult to prove that you have complied with the license terms that applied at the time you borrowed the code, which could become an issue if the applicable open source license changes.
To avoid this problem, consider including a page in your documentation wiki (if you have one) that records the open source code you have borrowed. At a minimum, you should also comment in your own source code when introducing open source components or dependencies.
3. Avoid Unlicensed Open Source Components
Sometimes you may come across an obscure GitHub repository or other source code hosting location that contains code you want to borrow but doesn’t specify licensing requirements at all.
You might be tempted to assume that the developers of the code want it to be open source and that they will let you do whatever you want with it. But this is a risky assumption. It is possible that the developers will later impose certain license terms on the code and expect you to follow them, which will lead to allegations of license violation down the line. Unless you have a very good reason to use obscure code without specific license terms, avoid it.
4. Create your own open source code
One way to mitigate some open source licensing risks is to make your own code base fully open source. This means that you will by default comply with any open source license terms that require derivative source code to remain open.
Related: Who Uses Open Source Software and Why
Keep in mind, however, that simply opening your own code does not guarantee full license compliance. The licenses that apply to the code you’ve borrowed may be different from the open source license you choose, so you’ll still need to put some effort into making sure you meet the requirements of each license. But at least you won’t have to worry about terms related to source code sharing.
5. Automatically identify open source components
While it’s recommended to manually track where and how you use open source in your codebase, you can reduce the risk of oversights by using software that helps you automatically identify open source components and dependencies.
There are two types of tools to consider here. One is Source composition analysis, or SCA, which automatically analyze source code and identify components borrowed from known third-party sources. The other is software supply chain management tools, which help identify and track (among other things) all open source dependencies within your application stack.
Open source is great, but navigating the complexities of open source licensing can be harder than it first appears. Make sure you have the right tools and processes in place to leverage open source responsibly without running into license violation issues.
About the AuthorChristopher Tozzi is a technology analyst specializing in cloud computing, application development, open source software, virtualization, containers, and more. He also teaches at a major university in the Albany, New York area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution”, was published by MIT Press.