Open Source best practices
Today, all software vendors make use of open source.
They strive for excellence in leveraging using open source software in commercial software products while ensuring licensing compliance and governance.
They strive for excellence in using open source based business models for commercial success.
They strive for excellence in leveraging development models that are used in open source communities in adapting these for in-house use at commercial software vendors.
They analyze usage of open source software during due diligence in acquiring software companies.
To reach excellence you have to be equipped with knowledge about best practices for open source. This blog is meant to provide you with the latest knowledge about open source, esp. open source licensing in commercial software, to reach excellence in open source matters. Please find more information in the book “Best practices for commercial use of open source software”.
Open Source and Open Source Licensing for commercial software
This page shows you why you should carefully consider using open source software in commercial software: Advantages and disadvantages of open source usage, why open source is used in commercial software and how to manage open source licensing and to control open source usage.
Most important is professional management of open source usage by defining an open source policy for your software company and by following structured processes for open source licensing approval and control. Rest assured that attorneys, consultants and tool vendors are there to assist you.
Advantages of Open Source usage
Simple and fast access to open source are often named as key advantages. Low cost and high quality are additional reasons to consider open source. For a software vendor, there might also be a strategic advantage to use open source software to provide the "non-competitive" part of a solution, while the developers care for the competitive part of the solution.
Motivation for open source usage in commercial software
Usually there are numerous open source components used in commercial software. It makes sense to use open source in commercial software if and only if you can comply with the open source license attached to that open source software. If you do so, you can leverage open source to quickly create functionality and to build on trusted functionality that is provided by software vendors or the open source community.
Relevance of Open Source Licensing
Open source components like the International Components for Unicode, ICU,or Hibernate are used in many commercial software solutions. Non-compliance with the license terms can have dramatic consequences. To avoid these open source licensing consequences, a software vendor has to install an open source licensing policy and practice. But what are the negative aspects and side effects of open source licenses? Open source licensing is also a relevant part of due diligence efforts in the software industry as explained in this book:
Potential disadvantages of open source usage
Use of open source in commercial software can show the following disadvantages:
Missing commercial services, like support and service level agreements impact the ability to run in commercial environments;
Commercialization of software might be blocked;
Missing or incomplete license attributes, like e.g. for sublicensing software or running software in an on demand environment;
Missing warranty and liability;
Non-compliance with license terms might lead to litigations.
Open Source licenses and software supply chains
Usage and licensing rights are transferred between players in the software supply chain. Software passed along the supply chain might contain open source software, too. Due to the copyleft effect in certain licenses, the non-compliance of one supplier might impact all other software companies down the supply chain.
So software vendors should diligently check which open source components are contained in the software supplied to them and which license terms apply.
The use of tools eases the work on this problem. You can use open source scanners to find open source code and the corresponding license terms. Please find more information in the book “Best practices for commercial use of open source software”.
Open Source Software License Due Diligence
Often, commercial software contains open source components. In the due diligence for acquiring a commercial software company, you have to check if the company complies with the licenses for open source software contained in their products (open source due diligence). The following figure shows typical components of commercial software that are analyzed during due diligence. They are coming from service providers, from suppliers for OEM software, freeware and open source software and they are created by employees, too.
Next in due diligence we look at the utilization of open source software. In the following figure the software vendor distributes the software products to resellers and to direct customers. The key fact that triggers open source license compliance is often distribution. With the distribution, the open source license terms apply and have to be complied with. Often open source license terms require that the source code is revealed and/or the software has to be provided free of charge. This is of course a critical issue in the due diligence of commercial software.
Software vendors´ core business is monetization of usage rights granted to customers. Open source software and corresponding licenses have to be diligently analyzed in open source due diligence.
You have to ensure that
all current and planned utilizations of open source software are covered and that
no open source license terms are violated.
Open Source Software Governance
Open Source Governance is the risk management process for using open source software in commercial software products. So what is the risk in using open source software?
Open source usage has several risks, like:
Operational risk: Missing commercial services, like support, might impact the ability to serve customers well in commercial environments;
Commercial risk: Monetization of software products might be blocked by open source licenses; Missing warranty and liability terms for software increase the warranty and liability risk for the commercial software vendor; Limitation of business models and delivery models might occur if the open source license does not explicitly allow or even forbid them.
License attribute risk: Missing or incomplete license attributes, like e.g. for sublicensing software or running software in a cloud environment; Non-compliance with license terms might lead to litigations.
Patent litigation risk: open source software might violate intellectual property rights like patents and this poses a legal risk.
Establishing open source governance
Proactive management of open source usage and open source licensing is paramount for commercial software vendors. From design to shipment of software solutions, open source governance is demanded. Please find more information in the book “Best practices for commercial use of open source software”.
Before you start with open source governance, you have to define your open source policy containing:
Risk level accepted by the management
Overall investment in organization, processes and tools for open source compliance
Level of management to approve open source usage
Frequence and intensity of governance
Software license tracking: Open source scan tool selection
Size of open source governance functions
List of acceptable open source licenses based on risk level
Budget for Open Source Scan Tools
A process for governance of used open source components.
We see two types of open source governance: reactive and active. Reactive open source governance just reacts to open source components used in a commercial software and provides an evaluation if an open source use is acceptable or not. As a result, the open source component can be used or has to be removed from the product.
An active approach to open source governance is to provide access to open source componentsfrom within development tools. The development tools allow open source components, that the company allows under the open source policy. Please find more information in the book “Best practices for commercial use of open source software”.