Following on this week’s challenge, lets dive into the open-source realm a little.

This is to assess the risks when the company being acquired has based their business or leverages open source software.

With software, licenses have always been a thing with the five most famous being:

  • GNU General Public License (GPL and the LGPL)
  • Apache
  • MIT
  • BSD
  • Mozilla Public License

These days, there are about 80 approved by the Open Source Initiative while there are over 200 out in the wild.

Needless to say, not all licenses are created equal. Some were created specifically to ensure the source code is provided with the binaries (GPL), some require just attribution and a copy of the license (BSD), some are openly permissive (Apache), and some provide a reminder the software is available AS-IS.

While most deal with making changes to the software, some impact how you use them.

For example GPL requires all modifications made to the code be freely available and distributed with the final code. Alternatively, the Affero GPL (AGPL) requires the source code for a network based application to be available (think Facebook being forced to publish the code powering their website if they incorporate any code licensed under AGPL).

This is where the license can matter. More-so if you are incorporating custom code leveraging Open Source offerings, or if the target company has made Open Source a part of their business.

One of the things to come out of the last few international security incidents is the industry coming together around a bill of materials for software. This can help identify what the risk profile looks like based on who’s using what licenses, which your attorneys can then assess what your risk is to incorporating the IP into your business.

cab