Friday, September 5, 2008

Practical Guide to GPL Compliance: Both Practical and Valuable

The Software Freedom Law Center (“SFLC”) recently published “Practical Guide to GPL Compliance” (“Guide”).
http://www.softwarefreedom.org/news/2008/aug/20/compliance-guide/The Guide is a major contribution to the open source community. It is very clear and valuable explanation about how to comply with the obligations in General Public License Version 2 (“GPLv2”), General Public License Version 3 (“GPLv3”), Lesser General Public License Version 2 (“LGPLv2”) and Lesser General Public License Version 3 (“LGPLv3”) and more generally how to best manage the use of FOSS.

The most critical point made by the Guide is the need to understand what third party open source software is in your software product in order to comply with obligations under FOSS licenses. However, companies should be equally concerned about complying with the terms of upstream proprietary software licenses. The Internet has made numerous software components easily available and my experience is that most software programs now include numerous third party components (both open source and proprietary).

Yet software companies frequently do not have an effective procedure for managing this new reality. This failure can raise significant problems at critical points in a company’s history, such as a financing and a merger. Many acquiring companies regularly perform a software scan of the target company’s software: they will discover these third party components and demand that the target company provide proof of compliance with the upstream licenses (both FOSS and proprietary). The failure to have a procedure for monitoring use of third party software means that the target company must scramble during the merger (or financing) process to prove compliance with upstream obligations. These problems are likely to cause delay in closing the merger (or financing) and, in some cases, may cause a reduction in the price or, rarely, termination of the merger. Recently, I assisted a startup in its sale to a large publicly traded company: the target company had over 100 third party software components of which it was not aware. We had to find a method to comply with the obligations in these upstream licenses in a very short period. The result was costly in management time and legal fees (rush jobs always cost more). In that case, however, the resolution of compliance with the obligations imposed by third party proprietary software component licenses created more problems than the FOSS components licenses.

The Guide is also very valuable for its practical suggestions about how to avoid compliance problems with the GPL such as training multiple developers how to “build” the software and distributing the Corresponding Source with the binary code (rather the alternative of making a written promise to provide the Corresponding Source). The Guide also provides detailed instructions on how to comply with the obligations relating to providing Source Code: the definition of Corresponding Source and the different options available under GPLv2 and GPLv3. For example, one nuanced, but important point is that Corresponding Source under GPLv2 cannot be provided solely by download (although it can be an option), but that option is available under GPLv3.

I strongly recommend that anyone dealing with FOSS compliance should read this guide.