I Don't Distribute. Is Compliance Really Necessary?

The short answer is yes, compliance is necessary even if you don’t distribute.  Let’s discuss some of the reasons.  This question comes up in sales conversations frequently and is usually a result of an internal discussion at a prospect’s company.

1. Compliance is the right thing to do.

At its most basic level, complying with the open source licenses even when no one may otherwise know is just the right thing to do.   By the nature of open source licenses, once you download the source code, you have entered into a licensing agreement with the author or copyright holder of the code. If you enter a licensing agreement through the more traditional procurement process, you probably wouldn't get done and then say, "we don't need to comply with those terms we just negotiated."  Why should open source licenses be any different?  You got the code (maybe for no cost), you entered a license, and you should comply with the license requirement.  Period.  Plus, you never know if someone may blow the whistle on you; a disgruntled employee who leaves the company could quickly inspire a lot of bad press and a potential lawsuit with very little effort. 

 

     2.  Open Source licenses may have obligations triggered on mere use.

While most open source license requirements depend on distribution some trigger upon "use." Most often, the requirement has to do with attribution to the authors of the code.  Giving attribution isn’t hard, but it’s an important part of compliance.  For example, the MIT license conditions the right to use upon retaining the copyright and permission notice.   The Jason Hunter license is a little more challenging to comply with but requires that if you use software in a commercial project, you must buy a copy of his book for everyone on that project's development team.  So even though you might not ever distribute that code, you may still have an obligation.  Those are just 2 examples of obligations you might find in an open source license that have nothing to do with distribution. 

 

    3.  Your distribution status or lack thereof could change.

What if that internal tool that you thought you would never distribute suddenly gets rolled into a product? Now you are distributing.  At that point, it is critical that you are in compliance and I can’t think of any company that wants to delay a product release because of non-compliance of a license.  It's much more efficient to make sure you comply on the front end.   And what happens if your company purchases another organization and that group distributes?  If you fail to do your due diligence on the purchased codebase, you could end up buying a lawsuit or a lot of work to get into compliance.  On the other hand, maybe you decide to sell your company or part of your codebase.  The purchasing entity will probably ask what open source software you have and how you have complied with the licenses. Not being able to answer that question with confidence or the effort required to get your code in compliance could devalue the worth of the asset.  I wouldn’t want to be the one to break that news to my boss. 

As you can see there are plenty of reasons to comply with an open source license other than distribution.  And while distribution is one of the more compelling reasons that cause a company to make efforts to comply, at the end of the day doing it because it’s the legal and moral thing to do is awfully compelling as well. 

What do you think?  Is compliance already a standard part of your organization? 

 

Stay tuned for discussion on how to go from talking about compliance to implementing compliance in the enterprise. 

Follow @openlogic

Subscribe to Enterprise Open Source by EmailFollow @openlogic
Follow @OSCloudServices

This work is licensed under a Creative Commons Attribution 3.0 Unported License
.