I can still recall (it actually pains me to count the years, so I refuse to) with perfect clarity the sound of my 1200 baud modem handshaking with my neighborhood’s local BBS. It’s a sound that so consistently produces a smile for me, I liken it to the crisp smell of air just before rain begins to fall; it’s something instantly recognizable.
Once the gate is open, the memories begin to flow so freely I can easily wax nostalgically for longer than I care to admit. In this state, I find myself recalling all manner of mischief that could be discovered. Many times, conveniently including detailed instructions for the best results.
Among the many devices of trouble I could download, and there were quite a few, one genre of things I procured more often than anything else was games. While Nintendo and Sega were still King and King among consoles, waging a war that looks both similar and completely different today, I’d found what amounted to the tomb of Tutankhamun. It was a treasure trove for a kid without any income, in a family that had scraped everything together just to get a computer.
Free: Lessons of Youth
Now, before you jump to accusations of swashbuckling endeavors of my adolescence, I have to explain. It was a different time. All I knew was that by some grant of the gods of the pre-internet, there was all kinds of awesomeness to be had. Better yet, it was all free. Ah, the joy of learning lessons in our youth.
Looking back on that time, and my attitude, I really didn’t know any better. Well, at least I’d been remarkably convincing to myself I didn’t know any better. In truth, I wasn’t actually looking for a reason to question why something others paid for, I could secure for free. Ignorance is bliss as they say, and had I been a child of a different time, the consequence may have been more severe. Luckily, life was more graceful in expounding lesson, and I quickly learned that “free” comes in a variety of forms.
Free: Lessons of Maturity
Finding a parallel in software component usage might seem like a stretch for some. But recent findings from our 2014 open source development and application security survey, shouted of these parallels.
One of the questions in the survey asked, does your organization /policy manage the use of open source components by license type?
Here at Sonatype, right along with security issues that often find more consistent discussion, component licensing is a topic that we often see overlooked. In the worst of cases it’s ignored altogether. That’s because open source, almost always has some direct association to free. This is quite contrary to reality.
While there is certainly a vast majority of components that have no associated cost, sometimes this comes with specific stipulations for usage. Surprisingly, this can be far more expensive than the aforementioned expectation of “free.”
Do you GPL?
Take for instance Cobertera, a well known and popular component that comes with a GPL license. Within a couple paragraphs a good explanation of “free” is provided, and it’s less about cost, and more about freedom. Of course, while nothing substitutes for good legal counsel, after reading that license, it shouldn’t seem like an overarching statement to suggest an entire business can be lost, simply for making the wrong component choice, or simply because someone didn’t know better.
It doesn’t have to be this way though. Based on our latest survey results, most (91% to be exact) of you understand the importance of understanding licensing issues for open source components used in your applications. While over a third of you even see this as a critical step for evaluating every component used. That’s an awesome statistic.
Better Than a Slap on the Head
However, we need to get everyone on board. There are more than half of you that understand the importance, but are still looking for the best way to integrate this decision point into your process, and reduce the risk “not knowing” can introduce.
While you can visit our corporate website’s product pages to learn more about what Sonatype does in this space, I will tell you what our own development team does to track license types in the open source components we use across development. We use the Sonatype CLM. It checks the license type for all components we use in a matter of seconds. It also does this early in the software development lifecycle, integrating directly into our development tools (e.g, Maven, Eclipse). This means we don’t fret over thinking what might be lurking in our production applications, we know before it gets released.
In a way, using CLM now is like someone carefully coaching me about software piracy. That would have been much better than the slap in the head my computer science teacher eventually gave me. Lesson learned. Lesson shared.