I continue to be in awe of this stat: the composition of today’s applications is often as high as 90% open source components and only 10% custom source code. A true testament to the value of open source in helping speed the delivery of custom built applications. (This amazing, but true, stat is based on our analysis of the Central Repository and 1000+ Repository and Application Healthcheck Risk Assessments.)
The pervasive use of Open Source components requires development organizations to understand and follow licensing conditions for each component and their many subcomponents. This is an often-perplexing task given the hundreds of open source license types, many with unique conditions. (Need a primer on Open Source Licenses? See below or check out the Trusted Software Alliance’s interview with Heather Meeker – the woman who literally wrote the book on this topic.)
Microsoft heard that message loud and clear from their customers and that is why they reached out to Sonatype for help. And we are excited to announce the integration of Sonatype’s license analysis for NuGet packages, including all subcomponents, into Microsoft’s NuGet Gallery and Visual Studio add-in. By putting this data directly into the .Net developers’ day-to-day toolset, they are now empowered to select the packages that best suit their organizations policies and legal requirements.
Sonatype has been providing this valuable license data – as well as critical security and architecture data – to make it easy for organizations to build high quality applications and ensure they are secure over time with the Sonatype Component Lifecycle Management (CLM) platform. This whitepaper provides the big picture of CLM. And if you are looking for a better understanding of open source licensing read on for a quick primer…
WHAT IS OPEN SOURCE LICENSING?
Source-code authors own their work and it is protected by copyright. Open source licensing protects the intellectual property rights of the original creators and determines the way in which it may be used and distributed by others.
COMMON OPEN SOURCE LICENSE TYPES
There are hundreds of open source licenses, each with distinct rules and regulations regarding the licensing of OSS components. The most common types of open source licenses are:
- “Liberal” licenses, such as Apache, MIT or BSD, allow you to copy, modify and distribute derivative works with limited conditions. These typically include attribution to the original authors and a copyright notice. These licenses most often are found on lower-level projects.
- "Weak Copyleft” licenses, such as Mozilla, Eclipse and the GNU Lesser Public License (LGPL), allow you to copy, modify and distribute larger works that include open source components, but require you to make source code and documentation available for any modifications to the initial component itself. These licenses tend to be used in libraries or platforms.
- "Copyleft” licenses, like the GNU General Public License (GPL), require you to license applications under the same Strong Copyleft license even if they just include a single component licensed in this way. This includes the requirement that the application’s source code be made available when it is distributed outside of your organization. In some cases, such as the Afferro General Public License (AGPL), the right to obtain source code is extended to any network user of the licensed work. This type of license is generally incompatible with commercial software.
Choosing the right license type for a new application and adhering to all open source license obligations throughout the software development lifecycle can be tricky. Several common license types are incompatible and cannot be combined into a new application. You’ll need the right tools and information to select appropriately licensed components – and ensure that you are complying with license terms.