Open Source Compliance (On Your Own Terms)

As Sean Michael Kerner mentioned in a recent article over on InternetNews to which I contributed, the BusyBox lawsuits are one example of the increased scrutiny being applied to open source license compliance (and open source in general). For those of you following open source legal issues, this scrutiny should not come as much of a surprise. In a way it is almost a measure of how far open source has come in the commercial marketplace. As companies have continued to put open source to work in an ever-widening variety of uses, and as the scope and profile of those uses has increased, the level of scrutiny applied to those uses was also naturally bound to increase.

I view this evolution not so much as cause for concern, but as cause for understanding and compliance. Companies that do not take note and move to implement open source compliance measures on their own terms will increasingly find themselves being required to comply on terms imposed by others (including not only SFLC, FSF and, but likely other groups as well). However, those that do, will find that open source compliance practices are evolving and that a growing number of tools exist to help make the use of open source no more risk prone than the use of proprietary software.

This topic of open source compliance on your own terms is one that I see a number of companies dealing with today. I will be covering it in my session at the 2008 Open Source Business Conference (OSBC) on March 25-26 at the Palace Hotel in San Francisco.


More details are available on the OSBC web site. While you are there, check out some of the other great sessions at OSBC this year. This is the 5th year for OSBC, and I think the best year yet in terms of content. I hope to see you there.







Affero GPLv3 Released

The Free Software Foundation (FSF) today announced the release of version 3 of the GNU Affero General Public License (AGPLv3). AGPLv3 is based on version 3 of the GNU General Public License (GPLv3), but has an additional term to allow users who interact with AGPLv3-licensed software over a network to receive the source code for that software (and modifications to that software). In particular, AGPLv3 modifes Section 13 of GPLv3 as follows:

While GPLv3 generally covers the distribution to third parties of modifications to software under GPLv3, it does not cover the situation where a user modifies software covered by GPLv3 and runs the modified software on a network without actually distributing a copy of the software. As a result, users making the functionality of software subject to GPLv3 available over a network (but not also distributing the software itself) are not required by GPLv3 to make available the source code to any modifications they have made to that software. This means that modifications to software covered by GPLv3 by companies operating operating under a software as a service (SaaS) or application service provider (ASP) model need not be released.

The fact that ASP/SaaS models are quickly becoming prevalent in the software industry and that the final draft of GPLv3 released earlier this year did not close this so-called “ASP Loophole” (or, if you prefer, “SaaS Loophole”) has led to a good deal of concern among open source commentators. The FSF intends that AGPLv3 will address these concerns by providing a means for developers to close this loophole. In particular, under AGPLv3, anyone running a copy of a modified version of software covered by AGPLv3 on a network must also make available a copy of those modifications as well (regardless of whether they have actually distributed the modified software itself). In their press release, the FSF notes that AGPLv3 is compatible with GPLv3 and, as a result, programmers who want to use the AGPLv3 for their work can also take advantage of software available under GPLv3. Given the additional coverage provided by AGPLv3, the FSF recommends that people consider using the AGPLv3 for any software which will commonly be run over a network.