At OpenLogic we review open source software prior to adding it to our certified library.  Projects get added to our queue in a number of ways, but more often than not, customers contact us and let us know they are using a project and ask us if we will review, certify and add the project to our library.  The first step in our certification process is to verify that the project is indeed open source.  For example, we automatically disqualify projects that are "free" or "demo" products that aren't provided with source code.  But more importantly, we review the terms under which the package is licensed.  This is probably the best way to determine if the project is really open source or not.  Many times it is easy to tell if it is an open source license, for example if the license is well known (like GPL or the Apache License) or if it is based on a well known license (like BSD) with minor, inconsequential changes.  But often, the licensing is not so cut and dry.

A few weeks ago a customer asked us to review a package.  After reviewing the website I was unable to find any information on licensing.  It is a common practice for community web sites to either include a statement on or link to licensing information.  So, I downloaded the project and unpacked the distribution.  Another common practice is to place the project license in the root directory.  Again, I found nothing.  So I contacted the project owner.  He let me know that he had not given it any thought and that he had not chosen a license yet.  And, yet the project was over 2 years old!!

I gave him some links to resources on licensing open source projects: the Open Source Initiative and the Free Software Foundation.  I also mentioned that Wikipedia has tons of great information on open source licensing.  I also offered some advice on the importance of understanding his goals in respect to his project.  Did he want to be less or more controlling over what ultimately happens with his projects source?

His project is actually a subproject of a very well known open source project.  So he sought the advice of his contact at the parent project and now has plans to officially license his project using a standard open source license very soon.

This story illustrates just one of the many ways that determining whether a project is really open source, and more importantly, how a project is licensed can be very difficult and time consuming.

This is not the first time we've had companies ask us to add "open source" packages to our library that are not a licensed open source project.  I think there are a few lessons in this story.  But ultimately, if your responsibility is to understand how a project is licensed and that your organization is in compliance with the terms and conditions of that license, you can never assume a project is open source until you have the license in hand.  Even if the project is a subproject of a well known open source licensed project.