<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Open source licenses AMA recap: containers, compliance, reputation, dragons, and more

Amy Hays
by Amy Hays
on January 12, 2021

Don't miss the latest from Tidelift

A few months ago, Tidelift co-founder and open source licensing expert Luis Villa sat down with IP lawyer Kate Downing to answer your licensing questions. We learned about the latest in the Google-Oracle case, how to shift company culture to be more focused on doing licensing well, licensing for new technologies like containers, and more!

Read on to get some of the highlights, or watch the full session on demand.

How do we manage licensing for container images?

Kate: “While downloading images of containers feels easy, it comes at a compliance trade off because it’s impossible to track all the individual licenses for most containers—it’s one of those reasons that companies view lawyers as killjoys sometimes. The best thing to do to mitigate your risk is to go with containers from trusted sources like Red Hat.”

Luis: “There will be more of these in the future—AWS has just started putting out some containers with good licensing, Microsoft has at least been talking about it, so has GitHub. It will be interesting to see how this space evolves. We also discussed containerization as a possible way of limiting the virality of a copyleft/GPL license—it essentially could separate the GPL component, although it does so at the cost of limiting certain kinds of interactions between software.”

If OSS is being used with less care, what’s the best way to move the company towards a more compliant approach?

“The number one risk from open source, and thus the biggest selling point for compliance, is to your reputation.”

- Kate Downing

Kate: “The number one risk from open source, and thus the biggest selling point for compliance, is to your reputation—it really has to do with how developers in the company perceive you, your ability to recruit, your ability to not become the boogeyman on Hacker News. Now you do want to start your product on the right footing—because obviously if you do get big you might get sued—but the reality is that reputational harm is most significant.”

Luis: “You can also bring up the potential disruptiveness of licensing issues. Let’s say someone does point out you are violating an open source license. Compliance is fairly straightforward, but it’s time consuming—especially if you have to fix it after the fact. Planning up front can fix a lot of problems that would become big and disruptive later. Finding out you are violating the GPL at exactly the wrong time can be a real distraction from work that you could be doing on new product features that your customers want.”

Kate: “Every time you go for an investment round, everyone will look for disclosure on what open source you use. If they see a bunch of things that make them ask questions, you are not going to get your funding. Same if anyone wants to buy you, they’ll do their due diligence, they’ll care about this. And it comes up in other places you won’t expect—if you’re using gated distribution like the App Store or Play Store, a lot of times they’ll expect you to submit a disclosure file. Fortune 500 clients will ask for OSS disclosure.”

Luis: “Yes, distribution is the point where it’s a real pain, and if you are in electronics or hardware, honestly you’re more likely to be sued and the plaintiff is quite likely to win a judgement. It’s way harder to fix electronics issues and other physical objects and hardware once you get to the point of sale. Corporate buyers will definitely want your bill of materials and that will include your OSS.”

One of our Tidelift maintainers asked: Are there any OSS licenses that are retractable?

Kate: “Of the normal things that you see people using, no, none of them are retractable. If you license version 1 under BSD, it is always under BSD. Then you can license version 2 under the GPL—but version 1 is permanently under BSD and you can’t stuff that cat back in the bag.”

Luis: “There is a difference between lower-case ‘open source’ and upper case Open Source—as defined by OSI and the OSD, non-retractability is kind of a fundamental feature.”

Can someone send a cease and desist letter to your actual customers?

“You can be liable for the actions of others if you are the one distributing the copyright work.”

- Luis Villa

Kate: “No, they can’t send a cease and desist to your customers provided they aren't redistributing. But you can get in a lot of trouble with a customer if you have an IP indemnity or warranty claim. And honestly if this is creating a big, serious inconvenience for your customer, they are going to try to walk from their contract. And I do not recommend having active litigation because every time you go into a sales call, it is going to get brought up.”

Luis: “You can be liable for the actions of others if you are the one distributing the copyright work. For example, this came up in the Google-Oracle case—a lot of the copying in question was done by the Apache Software Foundation with support from IBM, but Google took it and copied it and distributed it in Android phones. Because it was their hardware at the point of sale, they were [potentially] liable.

“There was another case with Best Buy or Circuit City or maybe Radio Shack, and they were distributing wifi access points they didn’t manufacture or design that had some licensing violations—and again they were liable even though they didn’t make it. Liability extends down the stack. You can use indemnities or other ways of putting the responsibility upstream to deal with this, but if you didn’t, yes, you are liable.

“Red Hat indemnifies a lot of open source, which is a great thing. And so does Tidelift, and I can use my role as general counsel and leader of the lifter team to build relationships with lifters, and those relationships are handy when there is a licensing challenge—mostly for our customers and for others too.”

Where do you land on whether Google or Oracle should win?

“If APIs are copyrightable, why not just put them under an open source license?”

- Kate Downing

Luis: “In the interest of full disclosure, I was hired as an external counsel for Google on the first and second rounds, and Tidelift has filed an amicus brief. And in short, we don’t think APIs are copyrightable. I tend to think they are methods of operation which are specifically not copyrightable.”

Kate: “If APIs are copyrightable, why not just put them under an open source license? You can pretty much work around this ambiguity and this is what most people are doing because of this case—the Apache Software Foundation license is pretty good for this. If you don’t have a license, when a company wants to use your API, you’ve got to build a bespoke actual legal agreement between both your companies, and that takes weeks at best—and nobody is going to use your API if there is an option that’s available on GitHub with a license”.

Luis: “This case literally started when I graduated from law school, that’s how long this has been going on—and so this has shaped how we think about APIs. Van Lindberg’s Cryptographic Autonomy License does some interesting things around APIs. Van has raised the question—if Oracle wins, does that strengthen the GPL? What are the larger effects of this?”

How solid are the licensing practices of most OSS projects? Do you have horror stories or success stories?

“This is one of my favorite parts of Tidelift, helping people not drag in these dependency dragons.”

- Luis Villa

Kate: “If you are looking at a project run by a foundation, you are at least going to have middling compliance practices and people are going to be at least trying. Outside of the foundations, I see a main license, but I don’t see a notices file for third-party code and licenses—and this isn’t great in terms of inheritance of rights and dependencies. A lot of maintainers don’t seem to understand that if they want the attention of large companies—if they can’t figure out how you are licensed, they are not going to adopt you, they are not going to buy you.”

Luis: “So the thing is the big projects might be in good shape, but there are literally thousands of dependencies your company is using that might be in mixed shape.”

Kate: “The big fear is that one of these small dependencies is consuming something big and well architected and protected—and you gain that responsibility without understanding that you have it, and then it gives you responsibilities.”

Luis: “This is one of my favorite parts of Tidelift, helping people not drag in these dependency dragons—helping maintainers figure out options, and how to disclose them. I think one of the interesting things about where we are in OSS is that there are so many more OSS developers. At this point if one percent of OSS developers use your project, you are wildly successful. I used to get an email about literally every OSS project on the planet, and there were a couple a week, not that many. So I think the landscape has changed a lot and people have not caught up.”

You can watch the full recording on-demand.

Watch Now