What are Your Legal Obligations When Using Open Source Licenses?

Open source software allows businesses to modify software source code, adapting it to their specific needs. It is often free or paid for by donations, making it a cost-effective way for any business to develop customized software.

While open source licenses give users huge freedom, they come with some strings attached. If your business uses open source software, you need to understand open source licences and how to comply with them to avoid legal consequences, reputational damage, and even financial penalties.

This article will break down the different types of open source licenses. We'll examine the key legal obligations associated with open source licenses and what your business can do to ensure compliance.

1. What Are Open Source Licenses?
1.1. Benefits of open source software
1.2. Common misunderstandings about open source licenses
2. Types of Open Source Licenses
2.1. Permissive licenses
2.2. Restrictive/copyleft licenses
3. Key Considerations for Open Source License Compliance
3.1. Attribution
3.2. Providing source code
3.3. License compatibility
3.4. Patent considerations
3.5. Network use
3.6. Modification and redistribution
4. Best Practices for Open Source License Compliance
5. Consequences of Not Complying
6. Summary

What Are Open Source Licenses?

Open source licenses are legal agreements that let people use, modify, and distribute open source software. Open source software is a program or platform with source code that anyone can access, modify, or enhance. The software's license explains users' rights and legal obligations.

Benefits of open source software

The advantages of open source software include:

Collaboration: Multiple developers can contribute to the same projects easily and freely, giving greater potential for innovation and more useful end products.
Transparency: As anyone can view open source code, users can understand the software and identify bugs and vulnerabilities more easily.
Customizable: Developers can customize an existing platform or piece of software without having to create their own designs from scratch.
Economical: Open source software is available either for free or on a donation basis, making it a cost-effective option. Businesses can develop tailored software on a budget.

However, open source software could become very expensive if users do not comply with the terms of the license.

Common misunderstandings about open source licenses

The term "open source" and the software's easily accessible nature could give the false impression that there are no rules to follow. In fact, there are different requirements depending on the type of license, and developers must follow these restrictions.

Some people also fall into the trap of thinking open source licenses are not enforceable. As reported by DLA Piper, open source license violations can be costly. In February 2024, Orange S.A. was ordered to pay over €900,000 for violating the GNU General Public License (GPL).

DLA Piper: Court of Appeal Paris: Fine for violating GNU GPL License

Other users have wrongly concluded that attribution is unnecessary when using open source software. While this may be true of some licenses, it is usually a legal requirement - and if not, at least good manners - to credit the original developers.

Types of Open Source Licenses

There are two main categories of open source licenses: permissive and restrictive (copyleft).

Permissive licenses

Permissive licenses allow users to use the software in almost any way they choose, including on proprietary projects, as long as they provide attribution. Some of the most popular permissive licenses include the MIT License, Apache License 2.0, and the BSD Licenses.

The MIT License example below, taken from the Open Source Initiative, highlights standard features of permissive licenses. These include:

The copyright holder must be attributed
Full permission to use, modify, distribute, and sell copies of the software is granted
Copyright notice and permission notice must be included in all copies of the software

Open Source Initiative: MIT License: Example of Copyright Notice

Restrictive/copyleft licenses

Commonly known as copyleft or reciprocal licenses, restrictive licenses place more restrictions on what users can do with modified (derivative) versions of the software. They typically require that derivative versions be open source and distributed under the same license terms.

Copyleft licenses are a way for developers to ensure their software remains open source. If they have gone to the trouble of using a strong copyleft license, you can be sure they are interested in enforcing it. So be sure to follow all rules and restrictions included in the license to avoid legal issues and potential penalties.

There are two types of copyleft licenses strong and weak.

Strong copyleft: Requires users to release derivative versions under the same license as the original. Examples include GNU General Public License (GPL) and the Sleepycat License (see below, from SPDX.org.)
Weak copyleft: Depending on the terms, it may allow the derivative work to be released under a different license. Examples include GNU Lesser General Public License (LGPL) and the Mozilla Public License.

As seen in the LGPL example below taken from the GNU Operating System, combined works--software that combines code from two or more open source developers--may be released under "terms of your choice." However, it's important to note that you must still prominently display the LGPL with the new product.

So, how can you maximize the benefits of open source software without falling foul of licensing requirements?

Key Considerations for Open Source License Compliance

The legal obligations for using open source software will depend on the type of license. However, there are several common requirements you will likely need to comply with.

Attribution

Attribution requirements mean that you must give credit to the original authors. You may be required to do this in several ways, including:

Retaining copyright notices in the code
Referencing the author and license in accompanying documentation
Not misrepresenting the code as having come from another source

Failing to attribute code to its original authors could result in litigation and expensive fines.

Providing source code

Copyleft licenses typically require users who modify and distribute software to include the source code. As shown below in the copyleft Sleepycat License, the source code must either be provided or information on how to obtain it for a nominal charge must be included.

Sleepycat License: Copyleft: Provision of redistribution

Copyleft licenses may also require you to:

Make your modifications publicly available
Use the same license for your modified software

The Orange infringement case mentioned earlier fell foul of this requirement. As DLA Piper reported below, every business needs to check open source licenses’ notices and source code requirements before deciding whether to use them, and then ensure they comply before releasing them.

DLA Piper: Orange Infringement case on GNU GPL

License compatibility

It's common for developers to combine multiple open source components in a single piece of software. However, before doing so, ensure the licenses are compatible. While some copyleft licenses, such as GPLv3, are generally compatible with other permissive licenses, it may be impossible to combine them with other strong copyleft licenses.

Remember, the final project must comply with all license terms of any source code used. Trying to combine open source software with incompatible licenses will create legal conflicts. For example, the GPL prohibits adding additional restrictions. This may make it impossible to combine it with the BSD license's advertising clause, which is not present in the GPL.

Some open source software providers make it easy by spelling out known compatibility issues. In the example below, Apache notes that its License Version 2.0 is compatible with GPL version 3, but not version 2.

Apache License 2.0 not compatible with GNU GPL Version 2

The takeaway: Before incorporating third-party code into your project, check license compatibility first. This will save a lot of wasted time and prevent potential legal issues in the future.

Patent considerations

Some open source licenses contain patent clauses. As open source software is built around collaboration, patent clauses typically give users the right to use all software-related patents. However, in return, users are likely to be prevented from enforcing patents to restrict others from using the software.

As can be seen in the Apache 2.0 license, every contributor gets a free patent license without fear of being sued for patent infringement. The license can only be taken back if you break the rules set out in the clause by suing them for patent infringement.

Apache License 2.0: Free Patent license provision

Network use

This is a relatively uncommon clause that could catch unsuspecting developers out. Certain licenses, including the GNU Affero General Public License v3.0 (AGPL) have clauses that apply if you modify the software and use it over a network but do not distribute it.

As shown below, if you modify software with an AGPL license and use it on a cloud-based service, you will need to release the source code:

AGPL License: Corresponding source must be released

Modification and redistribution

Do not assume you know the open source license's modification and redistribution rules. While permissive licenses often allow you to modify, distribute, and sell software, copyleft licenses tend to have stricter requirements.

The bottom line is never to assume, always to check, and avoid accident license violations and potential consequences.

Best Practices for Open Source License Compliance

Ideally, open source license compliance begins before embarking on a project. The following checklist can give you the best chance of getting the best out of open source software without running into legal difficulties:

Review license terms carefully: Before using any element of open source software, read and understand the license requirements. Check that licenses are compatible and avoid using any that are not. If you are unsure about any aspect, consult a legal expert to help you stay on the right side of the law.
Keep track of open source components: When developing a product and modifying code, it can be very challenging to keep track of all components and the requirements of their respective licenses. Consider using software composition analysis (SCA) tools. They can help you identify the source of all code used, allowing you to attribute it and comply with license requirements.
Attribute correctly: Ensure that all open source code is correctly attributed and that accompanying copyright notices and license texts are included in documentation when distributing it.
Meet source code distribution requirements: Ensure you comply with copyleft license requirements to provide the source code and use the same license on modified software.
Check for network use requirements: If you plan to use AGPL-licensed software, comply with its requirements even if it is only used on a closed server.
Create a compliance policy: A compliance policy can help your business comply easily. It should include all the points above, along with specific considerations for each type of license. A robust policy can help your developers maximize the potential of open source software while minimizing the risks.

Consequences of Not Complying

As we saw in the example of Entr'ouvert v. Orange, open source license violation cases can result in substantial damages and legal costs for the at-fault party.

At the other end of the scale, the 2023 case of Steck vs. AVM was a David and Goliath tale of an individual taking on a major European company. AVM failed to disclose the full source code of its FRITZ!OS operating system, which is itself a modified form of Linux. This violated LGLP v2.1.

In this case, the individual developer, Sebastian Steck, only won €7,500 in legal expenses, but crucially did receive the code AVM had previously withheld. While the award was small, it highlighted that open source licenses are enforceable and even large companies will be held accountable for violations.

The takeaway is that whether you're a small startup or a global behemoth, open source licenses need to be carefully adhered to. Whether the financial penalties are small or large, no business can risk the reputational damage and adverse publicity that open source license violation cases bring.

Summary

Open source software lets businesses develop customized software without major investments. However, it is important to recognize that open source licenses impose strict legal responsibilities.

Licenses fall into two main categories: permissive and copyleft. Permissive licenses impose minimal restrictions, and typically only require attribution. However, copyleft licenses impose source code distribution rules and may require the same license to be used on products that use their source code.

Open source license compliance focuses on tracking the use of components, reviewing license terms carefully, and maintaining accurate attribution. When combining open source components in a single project, developers must ensure license compatibility before development work begins. Understanding and following open source licensing rules can help your business reap the benefits of open source software while minimizing legal risks.