📖 FOSS License Compliance Enforcement
This is an excerpt from my upcoming corporate open source strategy book, being published by Pragmatic Bookshelf. All book excerpt content is early in the development process and therefore unedited; the errors are mine alone (and will be fixed before publishing 😉).
When most companies think about free and open source (FOSS) licenses, they immediately jump to the possibility of legal action for not complying with the license. In this excerpt, I discuss the realities of FOSS license compliance enforcement.
As with all matters concerning intellectual property, license infringement and enforcement are complex and have many sharp edge cases. Where infringement and enforcement are concerned, the simplest explanation is that any copyright holder has the right to enforce a license for their part of a copyrighted work. Some FOSS components can have dozens or even hundreds of copyright holders, and each one of them can be on the lookout for companies and individuals who aren’t complying with the terms of the license of the FOSS component. Furthermore, they’re within their rights to take legal action.
Don’t take this as incitement to paranoia, remaining constantly on edge awaiting notification that your company is being sued for copyright infringement because it didn’t comply with all the terms of a FOSS license. In fact, it’s rare that matters involving FOSS license compliance end up in a court of law. Part of the reason for this is that it’s relatively easy to comply with FOSS licenses, once you realise your company is party to them. The other reason is that the overwhelming majority of FOSS contributors don’t want to go to court; they want people to comply with the terms of the license. Because of that, it’s best practice in the FOSS world, when a copyright holder discovers a case of license infringement, to notify the company of the problem privately and ask them to come into compliance. The FOSS world understands that mistakes happen and prefers to assist in correcting the mistake rather than assigning blame and punishment through legal action. This approach, captured in the principles of community-oriented enforcement, was created in 2015 and is practiced by key FOSS non-profit organisations such as Software Freedom Conservancy. These principles play a valuable role in maintaining the culture and ecosystem of free and open source software by reducing the paranoia around license compliance, reinforcing the importance of the underlying philosophies and intentions of FOSS, and providing accessible and knowledgable guidance for FOSS copyright holders.
Despite this, once in a while copyright trolls and profiteers appear in the FOSS world. These take the form either of companies that use FOSS components but wilfully neglect to come into compliance with the licenses, even when notified of infringement, or of individual copyright holders who prefer to jump directly to legal action in an attempt to extort payment from companies that unknowingly infringed on the holder’s copyright by violating the terms of the FOSS license. Thankfully these profiteers are extremely rare and usually face scorn from the FOSS community when they do arise. This community judgment also helps to keep the profiteers at bay.
Even though the negative and legal ramifications for accidentally infringing on a FOSS license are vanishingly small, it’s common to see fear-mongering and FUD spread about it in the media. This fear-mongering often originates from commercial SCA companies as a part of their marketing strategy, but not all of it. There’s also a large amount of wider-spread FUD centred around reciprocal (copyleft) licenses. Prior to believing any type of negative FOSS license messaging you may see, I strongly encourage you to press the paranoia pause button and recognise the messaging for what it is: manipulation for largely commercial ends.
Don’t worry and don’t believe the FUD. If your company is aware of the links in its software supply chain, does its good faith best to remain in compliance with the licenses represented in it, and fixes compliance problems if they arise, you’ll be fine.
The excerpt content is copyright © The Pragmatic Programmers, LLC and used with permission. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher.
All other content of the post is Copyright VM Brasseur and licensed under CC BY-SA.