How to use open source code safely without losing your software rights

ispmanager.com - Aug 30 - - Dev Community

Hi! I'm Oleg Makarov, the lead lawyer at ispmanager. This article will be useful for everyone who uses open-source software to make money. We'll discuss how to work safely with open-source licenses and what happens to violators, including the likes of D-Link and Cisco Systems.

Developers of commercial code face the most risk — smart competitors are sure to revise the code. If they find a copyleft segment, they may demand that the code be disclosed and made available to everyone. And by law, they will be in the right. Everyone will suffer — business owners, developers, vendors, and lawyers.

What copyleft is, how to use it safely, what other licenses there are, and what their terms of use are — it's all covered here in detail.

What are open-source licenses anyway, and what different types are there

There are two types of free licenses. The main distinction between them is the requirements for how to use the software derived from them.

“Use it any way you like. Just declare who you got it from” i.e., permissive licenses. They allow you to use open source code for any purpose, including commercial.

“Take the code but share your developments with everyone” i.e., copyleft licenses. The name comes from a play on words and the contrast with permissive licenses — Copyright/Copyleft. They require you to distribute your modified software under the same license as the original code. In a manner of speaking, they infect you with the obligation to use the same license. As such, they are often referred to as viral.

Next, I will tell you about the most common licenses and their terms of use. I also provide data on the market shares of licenses according to Statista.com.

Permit licenses, the differences between them, their terms of use, and the consequences of violating them

The three types of permissive licenses with the most market share are.

MIT, Massachusetts Institute of Technology — gives the opportunity to freely use, change, and distribute the corresponding software. In 2021, the MIT license held the largest share in the Open source market — 26%.

Terms of Use. The terms are mandatory if you have taken the code in its pure form, without reworking it. If you have made changes to the open-source component of the code, then specify in the code that the license and rights notice apply only to the borrowed part.

You should include the copyright notice and the license text in English:

  • in the code if separating your own code from the borrowed code;
  • in the interface of the executable or license file in the repository.

The copyright notice looks like this: Copyright (c) <year> <rights holders>

BSD, Berkeley Software Distribution — allows you to use, modify, and distribute the code you take, as long as you provide attribution. BSD has a few varieties — for example, FreeBSD, OpenBSD, and BSD 1-4. I'll look at the most common ones — BSD 2 and BSD 3. They take up about 7% of all open-source projects.

Terms of Use:

  • Include copyright information in notices in the interface of the executable — or the license file in the repository if the code is used in its pure form.

  • Include the license text in English in the distribution or another place visible to the user, such as the repository, UI, or inside the source code.

  • Specify in the code that the license and rights notice apply only to the borrowed part of the code, as in the MIT license.

  • BSD 3 only: do not use the names of software authors or developers if you plan to promote the software for commercial purposes.

Apache. Developed by the Apache Software Foundation. I will consider Apache 2.0 which accounts for 22% of all open source components.

Terms of Use:

  • Insert the license text in English into the distribution or other user-visible place — for example, in the repository, UI, or source code. This requirement must be met whether you rework the original code or take the code in its pure form — unlike MIT or BSD.

  • Highlight by any available means the piece of original code that has been modified, for example, in source code comments.

  • Include copyright, patent, and trademark information in notices in the interface of the executable or license file in the repository.

  • Grant the rights to use the patent to an unlimited number of people if the part of the code you wrote by recycling a part under the Apache license is patented. Under the terms of the license, the transfer of rights is automatic.

  • Save the text of the Notice.txt file, a document for information or notices in the software, in one of the following places: in the distribution / in the source code / in the special "About" tab on the software screen, or in another designated place. The text of the Notice.txt file must be included in the software if the file accompanies the source code — even if you have added the license text in English to the distribution or elsewhere.

What happens if you violate the terms of permissive licenses? A company or developer can be accused of illegal use of borrowed software and sued for copyright infringement compensation. The amount depends on the size of the copyright holder's business and how exactly their software was used. I have not seen any high-profile cases related to infringement of permissive licenses — usually, everything can be settled in a pre-trial format. Nevertheless, it is better to protect yourself as much as possible and fulfill all the requirements.

Copyleft licenses — when to use them, terms of use, and the consequences of violation

I do not recommend using copyleft licenses for commercial products. The reason is that if a competitor revises the code and finds a copyleft part, you will have to disclose the code and make the software available to the public. The possible consequences are litigation, reputational damage, losses, or the utter collapse of your business.

There are six common types of copyleft licenses on the market.

GNU GPL v3 (General Public License) — allows free use, modification, and distribution of software. Modified software can be freely distributed only under the GPL v3 license. The condition is that your product with borrowed code must be under the license of the original code — GNU GPL v3. This type covers 16% of all open-source projects.

The license was written by lawyers — in GPL v3, they went over the terminology with a fine-toothed comb, taking into account the problems of patents and tivoization, and added information about the consequences of violating the terms.

Tivoization is a situation where a developer technically prohibits users from changing the software installed on a device. For example, because of tivoization, you can't modify programs on your iPhone — you can only use the software from the App Store. The term is named after the digital video player Tivo, which prohibited anyone from modifying the software installed on it. The GPL v3 license suppressed tivoization for consumer products but retained the prohibition on modification for important devices where it is critical — such as medical devices or voting machines.

Terms of Use:

  • Include copyright, patent, and trademark notices in the UI and in the code. This condition applies even if the borrowed code has not been changed.

  • Include the license text in English in the notices in the UI of the executable and in the license file in the repository. Also, include a link to the license text if the source code has not been changed in the software.

  • Specify in the source code which part was changed, who the author was, and when the original code was changed.

  • Make the source code of the program publicly available or information where it can be obtained. This requirement must be complied with if you finalize and sell software in object code. It does not apply when the derived software is distributed under the SaaS model — without a physical device or in a cloud format.

  • Grant unrestricted rights to use a patent if it is in the derivative software.

  • Don't resort to tivoization if using original and modified software. If the original or modified software is used in a device, the device manufacturer should not prevent the code from being modified.

GPL v2 — similar to GPL v3, but GPL v2 does not address the issues of tivoization or patents. The license was written by a developer for developers, so its text is clearer and simpler. It covers 10% of the open-source market.

Terms of use:

  • Include a copyright notice in the UI and in the code.

  • Add the license text in English to the notices in the UI of the executable and to the license file in the repository. Also, add a link to the license text if the source code has not been changed in the software.

  • Specify in the source code which part was changed, who the author was, and when the original code was changed.

  • Make the source code of the program publicly available or provide information on where it can be obtained. This requirement must be complied with if you finalize and distribute object code. It does not apply when derivative software is distributed under the SaaS model — without a physical device or in a cloud format.

LGPL v2.1 — Lesser GPL, used only for licensing libraries and complements of GPL v2. Its share among all Open source projects is 6%.

Terms of Use:

  • Mark the modified part of the code, if a library was modified, indicate the authors and the date of the modification.

  • Give the user of your software the tools to modify the “pulled in” library. It is forbidden to restrict the right to modify through an agreement with the user (EULA). This requirement applies only to static linking — “pulling” the library code into your software. For dynamic linking, when the library is not “pulled” into the code, there are no restrictions.

AGPL (Affero General Public License) — contains the same provisions as GPL v3 and GPL v2. The only difference is that the license also applies to SaaS solutions, when derived software is distributed in a cloud format, without a physical device.
The terms of use are the same as for GPL v3 and GPL v2.

Microsoft Public License (Ms-PL) — Microsoft’s license for distributing the source code of its projects. It does not force you to disclose the source code of the program — it is enough to distribute derived code under the MPL license. It is used in 3% of all Open source projects.

Terms of use:

  • Distribute software with MPL components in source code only under the same license.

  • Distribute software with MPL components in object code only under a license that does not require disclosure of the software source code.

  • It is impossible not to contradict the MPL with a classical proprietary license because it implies hiding the source code and is distributed only in object code. It is however possible to separate the conditions for "own" and free software within the code.

  • Give an unlimited number of persons the right to use a patent, if it exists for the derived software.

  • Do not use trademarks or authors' names in the derivative software.

Eclipse Public License v.1 is the only license that explicitly permits commercial use in certain cases. It is used for the products of the Eclipse Foundation, the developer of the IDE of the same name. It occupies only 1% of the open-source sphere.

The terms of use are similar to MPL but require you to include provisions in your license to protect the original authors from any third-party claims and information on how to obtain the source code of the derivative software. It is important to protect the authors of open-source software from third-party claims if the software is used for commercial purposes. If problems arise, you will have to answer the claims yourself.

What happens if you violate the requirements of copyleft licenses? As I have already written above, you will be forced to disclose the source code of the whole program through the court and make it publicly available. Usually, the issue is solved in a pre-trial format, but there have been some high-profile trials.

Here are some examples.

Germany. Programmer and lawyer Harald Welte, for the project gpl-violations.org, successfully sued companies that were caught violating the terms of the GPL. For example, the programmer sued D-Link and in September 2006, a Munich court confirmed that the company had violated the GPL and ordered D-Link to provide the source code and cover the legal costs.

US. The Free Software Foundation and Artiflex succeeded in forcing Cisco Systems and Palm, Inc. through the court to disclose the source code of their software with GPL code components.

France. The French Adult Vocational Training Association (AFPA) sued Edu4 for violating the GPL license. The court ruled in AFPA's favor and ordered Edu4 to disclose the source code of the software.

The most important points about Open source licenses in brief

All permissive licenses are suitable for commercial purposes — for example, MIT, BSD, or Apache. They allow you to distribute software in any way you want — you just need to specify the license information in the code and separate which piece of code you copied and which you wrote yourself.

Most copyleft licenses are not suitable for commercial purposes — under their terms, you need to distribute the modified software. It is important that your developments are open and free for other users. The only copyleft license that can be used for commercial purposes is Eclipse Public License v.1. Important — you will have to answer any and all claims to software with this license yourself.

3 main thoughts on Open source:

— The main idea of open source code is that it is important to know the terms of use, communicate them to everyone involved when writing the code, and strictly monitor compliance.

— Fines, lawsuits, or loss of software rights are possible consequences of violating the license terms. The amount of compensation depends on how big the company the rights of which you violated is.

— If you need to prevent users from changing the software on the device, GPL v2, LGPL v2.1, or AGPL copyleft licenses are suitable.

This article was originally published on the ispmanager blog

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .