Software Licenses, Open Source, & You

Open Source © 2022 James Leonardo. All Rights Reserved. Neon Stream Font by Zavier Cabarga

Software developers and leaders, including myself, are not usually lawyers. That doesn’t exempt us from knowing the basics of how the law protects intellectual property(IP) like source code or how to properly protect our own IP and use the IP of others. In this article, I focus on Open Source software, how it is protected by copyrights and licenses, and little bit on what to expect if you start creating your own Open Source Software.

Open Source Software drives modern technology. Almost every type of software has a major player that is open source: browsers (Chromium, Firefox), operating systems (Linux), content management (WordPress), programming languages (too many to count), and artificial intelligence (again, too many to count) all have significant players who are open source. Most modern web applications are built using tons of Open Source software both as part of the application code and as part of the infrastructure that delivers that code to the user.

Like everything in software, passions run high in open source. Just asking the question “what is Open Source?” can cause a flame war. I will use this simplified definition for this article:

Open Source is software that makes its source code available to any user of the software.

I am choosing to only include users for this definition because some types of licenses used for Open Source will create an obligation to provide that source code to users of the software. So why do licenses matter? Licenses are the means by which we get the right to use copyrighted code. We care about properly obtaining that right because the cost to settling copyright violations can be huge and even involve prison time if determined to be willful. In addition to the cost of settling a copyright violation, properly crediting or compensating the creators is moral, ethical, and even practical matter. If you need support and lost track of who the creator was, you’re going to have to solve the problem all by yourself.

Copyrights and software

The first thing to know about copyrights is that code or any other work protected by copyright receives that protection by default in most countries. That’s thanks to the Bern Convention’s protocols on copyright. “Most countries” is a very broad statement: so many nations subscribe to the Bern Convention that Wikipedia decided it was far easier to list the countries that do NOT subscribe to it. Being copyright by default means that the creator does not need to actually declare it to be copyrighted, just the act of writing code down copyrights the code. The Creative Commons organization goes as far as to say that the author saying “this is public domain” is not enough in some jurisdictions to remove these protections and has created the CC0 license for those authors who want to make something freely available. Copyright is not a short-term protection: If the creator is an individual, the copyright period outlives them by decades. There are other rules in place if the creator is anonymous/unknown or the copyright belongs to an organization (usually because that organization is the author’s employer or contracted using a work-for-hire arrangement), but suffice to say copyrights last a long time.

Even if you see code on a question and answer site like Stack Overflow, it’s copyrighted. Stack Overflow’s terms and conditions do not allow you to just copy code and use it. When you copy code from Stack Overflow, the terms require you to credit the author. That’s not a huge burden: simply adding a comment in your code with the link to the Stack Overflow page you got it from may be enough to satisfy the attribution rule. That also usually only applies if you are copying the code. If you are looking at how something was done and writing your own code, then you usually won’t need to attribute the code. There’s some gray areas, especially with very small amounts of code, but remember that copyright is really only about copies. Using someone else’s style isn’t a matter for copyright. Using someone else’s solution to a problem, but writing the code in a completely different way also is rarely going to be a copyright question. There are other areas of intellectual property law that can come into play (patents and trademarks/service marks) though.

In the US, we have a notion of “fair use” that allows you to use something without violating copyright. Unfortunately, there is a lot of ambiguity in fair use. It’s too much for me to cover in a single article or in a single brain and like so many things in law, terms sometimes don’t mean what you think they mean (e.g., non-commercial use often does not include personal use). What I can say is that small, incidental amounts of copying that align with the fair use provisions are usually not going to be an issue and if your purpose in copying is to educate or critique, you’ll generally be safe. If you are using just one image from a 90 minute movie as part of discussing the movie in a blog post on a personal site, that’s a very easy case for fair use. Please keep in mind that fair use is not applicable in all nations and definitions vary. Outside of fair use, the copyright owner gets the right to determine how copies are made. In the world of software, we traditionally use a license (a form of contract) to tell the person who gets the copy how they can use and make their own copies of the software. There’s all kinds of licensing schemes out there and they go beyond just governing how to make copies. Business-to-business licensing schemes can require dozens of pages to describe the licensing options available for a single software solution. As mentioned above, sometimes an author decides to make the software available for free. That’s where Open Source Software starts to poke its head into the picture.

Let’s get this out of the way though: just because it is free to use doesn’t make it open source. Even if you see the source code, it may not be truly Open Source. This is also true on code sharing sites like GitHub: if you don’t see a license then you legally cannot copy that code! The code is copyrighted and without a license, it needs to sit right where it is. You can study it, but you can’t take a copy and use it. Your only other recourse at that point is to contact the author and ask their permission to use the code.

Fortunately, most GitHub repositories do have a license attached. Those licenses will usually use a standard license template to simplify both the software author’s life and yours. Like any other legal contract, different licenses have different terms. We can lump most licenses templates into one of two types:

1. Copyleft Licenses
2. Permissive Licenses

Copyleft licenses

Copyleft licenses, like GPL version 3, have an agenda. That agenda is to get other software creators to make their software open source as well. While terms vary, copyleft licenses will require you to share source code with your users and possibly also share any modifications with the original authors. Some licenses trigger that provision when you distribute/make copies of the software and don’t apply if you’re using it to do something like run a web server that others access. Other licenses(e.g., AGPL) will require you to share source code even if you’re not distributing the software. Copyleft licenses will also require that any derived work or work that embeds the software to also be licensed using a similar license. That’s right: copyleft is viral. The people who advocate for copyleft are trying to open up all software. They also have a pretty strong point that if someone else is benefitting from their work, that person should share too.

That viral nature can force a company to disclose its trade secrets and other intellectual property and that’s what worries companies who are making their own software. If they use a small portion of copyleft code in a product they are creating, it could force them to make all of that product open source. Fortunately, it really only applies to derived works. If you’re using a copyleft licensed spreadsheet software to create spreadsheets, it’s not going to apply to those spreadsheets (at least for common licenses). If you change the software to add a feature or fix a bug or, for some licenses, embed it in other software, then the license would trigger. Even then, it usually only triggers if you distribute the software, so changes made and used internally by an organization usually are not an issue. Licenses vary and exceptions abound, so read the license carefully.

Permissive licenses

If all open source was copyleft, I’m pretty sure the web would not be what it is today. In the early 2000s, any company I talked to would avoid open source software in part for the reason that they were scared they’d have to release their own code. Even small, one person software projects could get nervous about that. As more developers started targeting the web, more developers started saying “I want to share my code, I really don’t care how it’s used.”

Those more laid back creators tended to just be happy that someone was using their code and only wanted to be recognized for it. These authors used permissive licenses. While the terms of these licenses vary, they usually include two things: 1) you can use and modify the code and 2) you just need to give credit to the author. The most common permissive license is the MIT license. Another important component of both copyleft and permissive licenses is a statement that the it is provided as-is and without warranty.

Some permissive licenses even go as far as to drop the requirement to give credit to the author. I still think it’s good practice to give credit because that will make it easier to track down when you find a bug and want to see if there’s an update or want to report it.

The upshot of permissive licenses is that they are more attractive to commercial users because the commercial users don’t need to be worried that they would make a modification that would require trade secrets to be exposed. Now, most of the Big Tech companies have their own Open Source projects producing widely used and free code, most using permissive licenses like MIT (e.g., React, Angular). Personally, I see value in both types of licenses, it all depends on what I want to get out of the project. Nadia Eghbal has a great book called “Working in Public” that discusses the background in detail and the personalities and politics of both the copyleft and permissive groups.

Becoming an Open Source author

So what if you have some of your own code and want to make it Open Source? What should you think about? Here are a few things to consider:

1. Do I even have the right to Open Source this code? Do I own it or does my company or a customer own it?
2. What license do I want to use?
3. If I make it Open Source, can I get paid for it?
4. Is it even a good idea?

Do I even have the right to Open Source this code?

If you have a personal project created using a computer that you own using software you’ve licensed yourself and on your own personal time, you might have the right to make it Open Source. However, depending on where you live and what you signed when you took a job, your employer may own work that you’ve created even though you used all your own time and resources to create it. Check any applicable employment agreements, company policies, client contracts and so on. Probably the best advice I can give in this article is never sign a contract that says your employer owns everything you create regardless of whether it’s related to your duties and what resources you used. Some US States protect the worker’s right to keep title to work done on their own time and resources. Other jurisdictions do not have this protection. Do assume that anything you create for an employer on company time and using company resources as part of your normal duties is going to belong to the company.

For clients where you aren’t a direct employee (e.g, you are a freelancer or working via an outsourced development firm), you should get familiar with the contract. If it doesn’t state rights are retained by the client, then they probably belong to the organization that wrote the code (if you are working via an outsource development firm, that firm most likely owns the code). This is definitely a case where you should get qualified legal advice and not listen to a washed up developer on the Internet.

What license do I want to use?

When choosing a license, stop and ask yourself just how free you want your software to be. That permissive license that says “use this however you want” is giving permission for big company to use your software to make mountains of money and never send a penny your way. If you’re not at peace with that, then STOP! That license is not for you. Even if you make that awesome new web server AGPL and require that anyone who uses it to share their source code, that’s not stopping anyone from using it to make money. They can certainly charge for the hosting and share the source code and never send you any money. How grumpy will you be when Amazon hosts your code on AWS and makes millions while you worry about paying your mortgage?

At this point, some people will decide to only license to their software for free for non-commercial use. Outside of the term non-commercial not being as cut and dried as we tend to think it is, we also should no longer consider the software to be Open. Open Source means open for anyone, you’ve now pulled the “any” out of it. It’s free-ish software at that point. That’s fine if that’s what you want, I’m not judging you. I think the distinction matters because you will now need to answer other questions like “how do commercial users get it”, “how do I get paid by those commercial users?”, “how do I properly pay taxes?”, “how do I enforce licenses?”, and “what legal messes may I now need to deal with?” With Open Source software, you can possibly get legal support via one of the Open Source organizations to help you enforce licenses. It will be more difficult to find a lawyer to help you without spending a pile of money when you are walking a path not supported by one of those orgs.

Can I charge for Open Source?

With many of the common Open Source licenses, there is nothing stopping you from charging for the software. Keep in mind that if you’re attaching an Open Source license to it, there’s not really anything to stop the buyer from giving it away in turn. It also is likely to provoke a “what did I pay for” reaction. The more common approach to get paid is either a “freemium”/open-core model or a services model. Freemium/open-core¹ is where you offer a free version of the software and charge for an ‘enterprise’ or ‘pro’ version that has more features. In a services model, you charge for enhanced support, implementation, training, or hosting the software on your own servers. Of the various models, the freemium and hosted models seem to be the most successful. Few companies seem to be successful with the other services approaches. Sure, there are cases where have worked, but there is also nothing stopping anyone else from offering the same services. Freemium and hosting both require additional work, creating a taller barrier to entry for competitors.

Is it even a good idea?

Yes, no, and maybe.

I am an advocate for Open Sourcing your code. In addition to being a form of pay-it-forward to the community, it also helps market your organization to customers and recruits by being another channel to get your name out there. Even as an individual, it helps build your personal brand and allows you to pursue projects that you may not be able to pursue otherwise. However, we need to be careful about what we open source and how we open source it.

Be ready to support your users. There are many abandoned open source projects, so only put it out there if you are going to maintain it or know you have people to help maintain it. Bug reports will come in, you’ll need to respond to them. Unfortunately, the open source community is loaded with examples of users who were complete jerks to authors. The level of entitlement some users bring can be surprising to someone who put something out there for other people to use for free and forgot to think “this is still the internet.” Even outside of the entitled jerks, some authors just aren’t prepared to deal with support questions or suggestions for new features. What is sometimes worse is managing well meaning developers from outside the project who are trying to help but actually take more time to manage than they save the authors.

Further Reading

There’s too much to unpack in the world of Open Source to cover it all in a single, albeit long, article, so here are a few resources for further reading.

• https://opensource.org/ - The Open Source Initiative
  • https://opensource.org/docs/osd - The OSI’s definition of Open Source
• https://www.fsf.org/ - The Free Software Foundation
  • https://www.gnu.org/philosophy/free-sw.html - The FSF’s definition of Free Software (via the GNU project)
• https://openssf.org/ - The Open Source Security Foundation
• Eghbal, Nadia - Working in Public: The Making and Maintenance of Open Source Software, https://press.stripe.com/working-in-public

Notes

1. For this article’s purposes, the biggest difference between freemium and open-core is that freemium is the broader category and makes no promise that anything is made open-source. Open-core means there’s a part offered for free and that part is open source. ↩