SlideShare a Scribd company logo

Lawyers and Licenses in Open Source-based Development: How to Protect Your Software & Your Sanity

Sonatype , profile picture
Sonatype

The document discusses the importance of understanding and adhering to open source licensing terms to avoid legal and financial penalties when using open source software components. It categorizes common license types and emphasizes the challenges organizations face when selecting appropriate licenses and managing compliance, particularly in Java development. The report also highlights Sonatype's Nexus Lifecycle, a tool designed to streamline the management of open source components and automate policy enforcement to enhance development efficiency.

Software
1 of 6
Downloaded 17 times
1
2
3
4
5
6
WHITEPAPER Lawyers & Licenses in Open Source-based Development: how to protect your software & your sanity
Page 2 Lawyers & Licenses in Open Source-Based Development: How to Protect Your Software & Your Sanity overview You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. What is open source licensing? Source-code authors own their work and it is protected by copy- right. Open source licensing protects the intellectual property rights of the original creators and determines the way in which it may be used and distributed by others. Common open source license types There are hundreds of open source licenses, each with distinct rules and regulations regarding the licensing of OSS components. The most common types of open source licenses are: • “Liberal”licenses, such as Apache, MIT or BSD, allow you to copy, modify and distribute derivative works with limited conditions. These typically include attribution to the original authors and a copyright notice. These licenses most often are found on lower-level projects. • “Weak Copyleft”licenses, such as Mozilla, Eclipse and the GNU Lesser General Public License (LGPL), allow you to copy, modify and distribute larger works that include open source components, but require you to make source code and documentation available for any modifications to the initial component itself. These licenses tend to be used in libraries or platforms. • “Copyleft”licenses, like the GNU General Public License (GPL), require you to license applications under the same Copyleft license even if they just include a single component licensed in this way (see Figure 1). This includes the require- ment that the application’s source code be made available Figure 1: “Copyleft” licenses require you to license applications under the same Copyleft license even if they just include a single component licensed in this way. This type of license is generally incompatible with commercial software.
Page 3 Lawyers & Licenses in Open Source-Based Development: How to Protect Your Software & Your Sanity when it is distributed outside of your organization. In some cases, such as the Afferro General Public License (AGPL), the right to obtain source code is extended to any network user of the licensed work. This type of license is generally incom- patible with commercial software. Choosing the right license type for a new application and ad- hering to all open source license obligations throughout the software development lifecycle can be tricky. Several common license types are incompatible and cannot be combined into a new application (see Figure 2). You’ll need the right tools and information to select appropriately licensed components—and ensure that you are complying with license terms. Java open source dependencies Java component-based development introduces unique licens- ing issues: • It is often difficult to determine a component’s licensing terms. Project owners may omit licensing information or submit incorrect information when publishing their project to distribution sites such as the (Maven) Central Repository. • You must consider the license of every component, including all dependencies. If even a single Copyleft licensed compo- nent, no matter how many levels deep, is included in your ap- plication, then the entire application must be licensed under that Copyleft license (see Figure 3). Figure 3: You must consider the license of every component, including all dependencies. If even a single Copyleft licensed component, no matter how many levels deep, is included in your application, then the entire application must be licensed under that Copyleft license. Figure 2: You can’t combine components with incompatible licenses into an application. Lv3 Y
Page 4 Lawyers & Licenses in Open Source-Based Development: How to Protect Your Software & Your Sanity Cut through the complexity Evaluating the legal obligations of open source components can be difficult and time-consuming. Nexus Lifecycle (formerly Sonatype Component Lifecycle Management) can help. Nexus Lifecycle delivers actionable licensing, security and quality infor- mation about open source components utilized throughout your organization. By integrating with your existing tools and processes it gives you the licensing information and management you need, when and where you need it: • Enable developers to choose appropriately licensed compo- nents during design and development with information in their IDE. • Identify and manage component licensing during the build phase to address issues quickly and avoid costly rework. • Analyze your existing applications to identify problematic licenses, including all dependencies. • Gain visibility into which licenses are being downloaded by your organization from the Central Repository. Using automated policies to guide license decisions As we have explained, understanding and choosing appropriate open source licenses is essential to software development. The challenge most organizations face is how to address this issue without slowing down the development process - either during development or later when an application scan or analysis uncov- ers numerous potential license violations requiring tedious re- search and remediation. Most organizations view open source policies as an essential method for avoiding copyright risk. Yet manual policy approvals and workflows slow the development process and developers often find workarounds. Another approach involves policy automation combined with built-in component intelligence. The developer has instant visibil- ity into the license for a component and associated risk of using it based on the organization’s established policy. Furthermore, when an inappropriate license is used, an email alert is triggered and sent to various stakeholders. Choosing the right license type for a new application and adhering to all open source license obligations throughout the software development lifecycle can be tricky.
Page 5 Lawyers & Licenses in Open Source-Based Development: How to Protect Your Software & Your Sanity Figure 4: Nexus Lifecycle includes standard policies for not only license risk (shown), but also security and architecture—all out-of-the box and ready to implement or customize. a lawyer’s perspective By Heather Meeker Many companies have come to realize that managing the use of open source without automation diverts business, technical and legal resources, which is part of the true cost of free software. The last decade has seen an evolution of automated tools to help identify, track, and manage the use of open source software. The best tools can help manage use of software in an integrated way, not focusing on open source or proprietary software to the exclusion of the other. One such approach is Software Supply Chain Management, the process of providing develop- ers with collaborative tools, intelligence, and control at every phase of the application lifecycle that addresses the management of licensing risk for component-based development. Sonatype has a solution, Nexus Lifecycle, that provides a set of software management tools designed to help organizations incorporate supply chain practices easily into their development processes. For instance, such tools enable organizations to select appropriate licensed components during design and development; identify and manage component licensing during the build phase to address issues quickly and avoid costly rework; and scan existing applications to identify licenses and dependencies, so you can assess these against corporate policy. Heather Meeker Source: TechCrunch, “Open Source Software: Compliance Basics and Best Practice,” by Heather Meeker, a leading authority on open-source software licensing. Ms. Meeker is currently employed at O’Melveny & Meyers, LLP.
Page 6 Sonatype Inc. • 8161 Maple Lawn Drive, Suite 250 • Fulton, MD 20759 • 1.877.866.2836 • www.sonatype.com 2015. Sonatype Inc. All Rights Reserved. Sonatype helps organizations build better software, even faster. Like a traditional supply chain, software applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatype’s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com Remediating risks early in development When combining automated policies with component intelligence in the IDE, developers are easily able to identify which components violate policies and which versions are preferred instead. Figure 5: By integrating component intelligence directly into the most popular developer tools, choosing a safe component takes no longer than choosing a risky one. In this example of an Eclipse interface, developers can easily identify component risk and choose a better option.  For more information about Sonatype, visit www.sonatype.com

More Related Content

PDF
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Sonatype
 
PDF
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Sonatype
 
PDF
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
PDF
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
PPTX
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
PDF
Risks in the Software Supply Chain
Mark Sherman
 
PPTX
A "Firewall" for Bad Binaries
Sonatype
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Sonatype
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Sonatype
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
Risks in the Software Supply Chain
Mark Sherman
 
A "Firewall" for Bad Binaries
Sonatype
 

What's hot (20)

PDF
Aliens in Your Apps!
All Things Open
 
PPTX
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
PDF
Veracode - Overview
Stephen Durrant
 
PPTX
Veracode - Inglês
DeServ - Tecnologia e Servços
 
PPTX
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Sonatype
 
PDF
Healthcare application-security-practices-survey-veracode
Veracode
 
PDF
Veracode Corporate Overview - Print
Andrew Kanikuru
 
PPTX
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
PPTX
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
PDF
Innovating Faster with Continuous Application Security
Jeff Williams
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PDF
Application Security Management with ThreadFix
Virtual Forge
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
PPT
IBM Rational AppScan Product Overview
Ashish Patel
 
PDF
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
PPT
IBM AppScan Standard - The Web Application Security Solution
hearme limited company
 
PDF
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
South Tyrol Free Software Conference
 
PPT
IBM AppScan Enterprise - The total software security solution
hearme limited company
 
PDF
A Successful SAST Tool Implementation
Checkmarx
 
PDF
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Aliens in Your Apps!
All Things Open
 
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Veracode - Overview
Stephen Durrant
 
Veracode - Inglês
DeServ - Tecnologia e Servços
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Sonatype
 
Healthcare application-security-practices-survey-veracode
Veracode
 
Veracode Corporate Overview - Print
Andrew Kanikuru
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Innovating Faster with Continuous Application Security
Jeff Williams
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Application Security Management with ThreadFix
Virtual Forge
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
IBM Rational AppScan Product Overview
Ashish Patel
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
IBM AppScan Standard - The Web Application Security Solution
hearme limited company
 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
South Tyrol Free Software Conference
 
IBM AppScan Enterprise - The total software security solution
hearme limited company
 
A Successful SAST Tool Implementation
Checkmarx
 
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Ad

Viewers also liked (12)

PPTX
Trabajo en grupo
tamylove1996
 
PPTX
Correccion de brazalete
Montserrat55
 
PDF
קפלן
Liran Mor
 
PPTX
Seven Signs You Need a Data Warehouse
HelpSystems
 
PDF
Nick Andrews - Digital Mindset
Edge Global Media Group
 
PPTX
Continuous benchmarking
Khaled Hamlaoui
 
PDF
Mark Manton - Digital Transformation - Birmingham Marketing Conference
Edge Global Media Group
 
PDF
Fold, Staple, Share: The Brooklyn College Library Zine Collection
Alycia
 
PPTX
Pendidikan Agama Islam dan Tugas Mahasiswa
paiumsby2020
 
PPTX
Success maximizers Updated
Danny Medina
 
PPTX
Foreign Investment and Foreign Trade
little_sunshine143
 
PPTX
Digital arts
KM Claudio
 
Trabajo en grupo
tamylove1996
 
Correccion de brazalete
Montserrat55
 
קפלן
Liran Mor
 
Seven Signs You Need a Data Warehouse
HelpSystems
 
Nick Andrews - Digital Mindset
Edge Global Media Group
 
Continuous benchmarking
Khaled Hamlaoui
 
Mark Manton - Digital Transformation - Birmingham Marketing Conference
Edge Global Media Group
 
Fold, Staple, Share: The Brooklyn College Library Zine Collection
Alycia
 
Pendidikan Agama Islam dan Tugas Mahasiswa
paiumsby2020
 
Success maximizers Updated
Danny Medina
 
Foreign Investment and Foreign Trade
little_sunshine143
 
Digital arts
KM Claudio
 
Ad

Similar to Lawyers and Licenses in Open Source-based Development: How to Protect Your Software & Your Sanity (20)

PDF
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
FINOS
 
PDF
Best practices for using open source software in the enterprise
Marcel de Vries
 
PDF
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
Black Duck by Synopsys
 
PDF
Breaking Free from Proprietary Gravitational Pull
Great Wide Open
 
PPTX
Open source software for IoT – The devil’s in the details
Rogue Wave Software
 
DOCX
Developing Mixed-Source Commercial Products - OSS Risks and Mitigation
Jim Markwith
 
PPTX
Open Source Licence to Kill in Software Development
Jamie Coleman
 
PDF
Sonatype's 2013 OSS Software Survey
Sonatype
 
PDF
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
Black Duck by Synopsys
 
PDF
Exploring Open Source Licensing
Stefano Fago
 
PPT
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
ActiveState
 
PDF
Conversation on Open Source - CU Boulder - Feb 2017
Jason Carolan
 
PPTX
Setting Your Code Free (Without Scaring the Lawyers): Licensing & IP Consider...
All Things Open
 
PDF
Open source software 101: Compliance and risk management
Osler, Hoskin & Harcourt LLP
 
PDF
Open Source Software Licence Compliance: Art or science?
Shane Coughlan
 
PDF
Open Source Licensing Fundamentals for Financial Services
FINOS
 
PPTX
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
PPTX
How to keep developers happy and lawyers calm (Presented at ESC Boston)
Rogue Wave Software
 
PPTX
Open source software licenses
DrexelELC
 
PDF
Open Source: Business and Governance
Shane Coughlan
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
FINOS
 
Best practices for using open source software in the enterprise
Marcel de Vries
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
Black Duck by Synopsys
 
Breaking Free from Proprietary Gravitational Pull
Great Wide Open
 
Open source software for IoT – The devil’s in the details
Rogue Wave Software
 
Developing Mixed-Source Commercial Products - OSS Risks and Mitigation
Jim Markwith
 
Open Source Licence to Kill in Software Development
Jamie Coleman
 
Sonatype's 2013 OSS Software Survey
Sonatype
 
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
Black Duck by Synopsys
 
Exploring Open Source Licensing
Stefano Fago
 
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
ActiveState
 
Conversation on Open Source - CU Boulder - Feb 2017
Jason Carolan
 
Setting Your Code Free (Without Scaring the Lawyers): Licensing & IP Consider...
All Things Open
 
Open source software 101: Compliance and risk management
Osler, Hoskin & Harcourt LLP
 
Open Source Software Licence Compliance: Art or science?
Shane Coughlan
 
Open Source Licensing Fundamentals for Financial Services
FINOS
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
Rogue Wave Software
 
Open source software licenses
DrexelELC
 
Open Source: Business and Governance
Shane Coughlan
 

More from Sonatype (20)

PPTX
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
PDF
2019 DevSecOps Reference Architectures
Sonatype
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
PDF
2017 DevSecOps Survey
Sonatype
 
PPTX
Starting and Scaling DevOps In the Enterprise
Sonatype
 
PPTX
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
PDF
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
PPTX
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
PDF
Serverless and the Way Forward
Sonatype
 
PDF
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
PDF
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
PDF
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
PDF
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Sonatype
 
PDF
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
PDF
System Hardening Using Ansible
Sonatype
 
PDF
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
PDF
Getting out of the Job Jungle with Jenkins
Sonatype
 
PDF
Modern Infrastructure Automation
Sonatype
 
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
2019 DevSecOps Reference Architectures
Sonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
DevSecOps reference architectures 2018
Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
2017 DevSecOps Survey
Sonatype
 
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Serverless and the Way Forward
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
Sonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Getting out of the Job Jungle with Jenkins
Sonatype
 
Modern Infrastructure Automation
Sonatype
 

Recently uploaded (20)

PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
AI in Product Development-omnex systems
omnex systems
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
System and Network Administraation Chapter 3
jaramharo
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 

Lawyers and Licenses in Open Source-based Development: How to Protect Your Software & Your Sanity

  • 1. WHITEPAPER Lawyers & Licenses in Open Source-based Development: how to protect your software & your sanity
  • 2. Page 2 Lawyers & Licenses in Open Source-Based Development: How to Protect Your Software & Your Sanity overview You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. What is open source licensing? Source-code authors own their work and it is protected by copy- right. Open source licensing protects the intellectual property rights of the original creators and determines the way in which it may be used and distributed by others. Common open source license types There are hundreds of open source licenses, each with distinct rules and regulations regarding the licensing of OSS components. The most common types of open source licenses are: • “Liberal”licenses, such as Apache, MIT or BSD, allow you to copy, modify and distribute derivative works with limited conditions. These typically include attribution to the original authors and a copyright notice. These licenses most often are found on lower-level projects. • “Weak Copyleft”licenses, such as Mozilla, Eclipse and the GNU Lesser General Public License (LGPL), allow you to copy, modify and distribute larger works that include open source components, but require you to make source code and documentation available for any modifications to the initial component itself. These licenses tend to be used in libraries or platforms. • “Copyleft”licenses, like the GNU General Public License (GPL), require you to license applications under the same Copyleft license even if they just include a single component licensed in this way (see Figure 1). This includes the require- ment that the application’s source code be made available Figure 1: “Copyleft” licenses require you to license applications under the same Copyleft license even if they just include a single component licensed in this way. This type of license is generally incompatible with commercial software.
  • 3. Page 3 Lawyers & Licenses in Open Source-Based Development: How to Protect Your Software & Your Sanity when it is distributed outside of your organization. In some cases, such as the Afferro General Public License (AGPL), the right to obtain source code is extended to any network user of the licensed work. This type of license is generally incom- patible with commercial software. Choosing the right license type for a new application and ad- hering to all open source license obligations throughout the software development lifecycle can be tricky. Several common license types are incompatible and cannot be combined into a new application (see Figure 2). You’ll need the right tools and information to select appropriately licensed components—and ensure that you are complying with license terms. Java open source dependencies Java component-based development introduces unique licens- ing issues: • It is often difficult to determine a component’s licensing terms. Project owners may omit licensing information or submit incorrect information when publishing their project to distribution sites such as the (Maven) Central Repository. • You must consider the license of every component, including all dependencies. If even a single Copyleft licensed compo- nent, no matter how many levels deep, is included in your ap- plication, then the entire application must be licensed under that Copyleft license (see Figure 3). Figure 3: You must consider the license of every component, including all dependencies. If even a single Copyleft licensed component, no matter how many levels deep, is included in your application, then the entire application must be licensed under that Copyleft license. Figure 2: You can’t combine components with incompatible licenses into an application. Lv3 Y
  • 4. Page 4 Lawyers & Licenses in Open Source-Based Development: How to Protect Your Software & Your Sanity Cut through the complexity Evaluating the legal obligations of open source components can be difficult and time-consuming. Nexus Lifecycle (formerly Sonatype Component Lifecycle Management) can help. Nexus Lifecycle delivers actionable licensing, security and quality infor- mation about open source components utilized throughout your organization. By integrating with your existing tools and processes it gives you the licensing information and management you need, when and where you need it: • Enable developers to choose appropriately licensed compo- nents during design and development with information in their IDE. • Identify and manage component licensing during the build phase to address issues quickly and avoid costly rework. • Analyze your existing applications to identify problematic licenses, including all dependencies. • Gain visibility into which licenses are being downloaded by your organization from the Central Repository. Using automated policies to guide license decisions As we have explained, understanding and choosing appropriate open source licenses is essential to software development. The challenge most organizations face is how to address this issue without slowing down the development process - either during development or later when an application scan or analysis uncov- ers numerous potential license violations requiring tedious re- search and remediation. Most organizations view open source policies as an essential method for avoiding copyright risk. Yet manual policy approvals and workflows slow the development process and developers often find workarounds. Another approach involves policy automation combined with built-in component intelligence. The developer has instant visibil- ity into the license for a component and associated risk of using it based on the organization’s established policy. Furthermore, when an inappropriate license is used, an email alert is triggered and sent to various stakeholders. Choosing the right license type for a new application and adhering to all open source license obligations throughout the software development lifecycle can be tricky.
  • 5. Page 5 Lawyers & Licenses in Open Source-Based Development: How to Protect Your Software & Your Sanity Figure 4: Nexus Lifecycle includes standard policies for not only license risk (shown), but also security and architecture—all out-of-the box and ready to implement or customize. a lawyer’s perspective By Heather Meeker Many companies have come to realize that managing the use of open source without automation diverts business, technical and legal resources, which is part of the true cost of free software. The last decade has seen an evolution of automated tools to help identify, track, and manage the use of open source software. The best tools can help manage use of software in an integrated way, not focusing on open source or proprietary software to the exclusion of the other. One such approach is Software Supply Chain Management, the process of providing develop- ers with collaborative tools, intelligence, and control at every phase of the application lifecycle that addresses the management of licensing risk for component-based development. Sonatype has a solution, Nexus Lifecycle, that provides a set of software management tools designed to help organizations incorporate supply chain practices easily into their development processes. For instance, such tools enable organizations to select appropriate licensed components during design and development; identify and manage component licensing during the build phase to address issues quickly and avoid costly rework; and scan existing applications to identify licenses and dependencies, so you can assess these against corporate policy. Heather Meeker Source: TechCrunch, “Open Source Software: Compliance Basics and Best Practice,” by Heather Meeker, a leading authority on open-source software licensing. Ms. Meeker is currently employed at O’Melveny & Meyers, LLP.
  • 6. Page 6 Sonatype Inc. • 8161 Maple Lawn Drive, Suite 250 • Fulton, MD 20759 • 1.877.866.2836 • www.sonatype.com 2015. Sonatype Inc. All Rights Reserved. Sonatype helps organizations build better software, even faster. Like a traditional supply chain, software applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatype’s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com Remediating risks early in development When combining automated policies with component intelligence in the IDE, developers are easily able to identify which components violate policies and which versions are preferred instead. Figure 5: By integrating component intelligence directly into the most popular developer tools, choosing a safe component takes no longer than choosing a risky one. In this example of an Eclipse interface, developers can easily identify component risk and choose a better option.  For more information about Sonatype, visit www.sonatype.com