Thank You Open Source - But Beware
I want to give thanks to the awesome open-source community that gives so much to all of us. But beware, with freedom comes responsibility.
As we move into the holiday season and the last few weeks of 2022, I wanted to give thanks to the awesome open-source community that gives so much to all of us. But beware, with freedom comes responsibility.
What is Open Source
Open source software is software in which the copyright holder grants the users the right to use, study, change, and distribute the software and its source code to anyone and for any purpose. There are a number of open-source license types and each is slightly different. But in general, they all support the open sharing of the software and its source code.
Examples of Open Source
Here are some of the most recognizable examples of open-source software:
- Apache web server
- Mozilla Firefox
And from a software developer perspective, here are some prominent examples of open-source software you probably use daily:
How Much Software Is Open Source
According to Wikipedia, there are more than 180,000 open-source projects. Other sources state that 70-90% of web and cloud application source code is based on open-source code.
Think for a minute about your last project.
Was it based on Python or Node.js or .NET? Open-source.
Did it use npm or nuget packages? They were very likely open-source.
Did you use MySQL or PostgreSQL or MariaDB as your database? Open-source.
How Many Developers Contribute To Open Source?
Contributing to open-source projects is a great way to boost your software engineer career. By contributing to open-source projects, you:
- improve your coding skills
- grow your network
- build your GitHub portfolio (employers look for this more and more)
A 2019 survey by Tidelift and The New Stack asked 400 professional software developers about their contributions to open-source. The survey found that 84% view themselves as active open-source contributors (contributing more than once per year).
What about you? Have you posted code to a public GitHub repository? Have you helped track down a bug in another open-source project? Have you done a pull request and discussed bug fixes or enhancements for an open-source project?
Common Open Source License Types
There are over a hundred specific open-source license types. OSI is a good resource to learn more:
However, the most common open-source licenses that are generally considered low in risk are:
- MIT License
- Apache License
- ISC License
- BSD License (3-clause "new" version) and (2-clause "simplified" version)
A "Low" risk means that as long as you keep the original copyright information in place whenever you modify and/or distribute the software, you are good to go. So if you make changes to the source code of an MIT-licensed open-source product, you are allowed to do so as long as you keep the copyright information that shows the original copyright holder of the software.
"Medium" risk licenses are a bit more stringent but still open source. Under these types of licenses, you can still access and modify the source code but some restrictions apply. For example, in some medium-risk licenses, you may be required to provide your open-source changes along with the product and make them available via open-source as well.
"High" risk licenses are much more restrictive and should be thoroughly reviewed. For example, with some of the GNU open-source licenses, if you base your code on GNU-licensed open-source code, you may be required to extend the royalty-free licensing to your codebase as well, and make your code available royalty-free because that is what the GNU license stipulates.
Be Careful What Open Source Licensing You Use
Let's say you are building a SaaS-based Twitter marketing application. Your users can create an account, tie it to their Twitter account, and then use your application to manage their Twitter social marketing.
You have engineered a unique "special sauce" analysis engine that reviews your users' tweets, and their current followers, and builds a sentiment and domain profile for those users. With this information, your application does a truly wonderful job of helping your users then automatically review and recommend who to follow and who to follow back based on similarities in sentiment and domains.
As is typical with web and cloud applications, about 80% of your code base is open-source. And in particular, you found an awesome open-source rules-based analysis engine and you modified it to build your "special sauce" analysis engine that is the heart of your SaaS application.
You forge ahead, your application is a great success, you have users signing up left and right, and the SaaS is so successful that you build it out as a white-label service where others can even re-sell your core SaaS application labeled as their own. Congrats!
Low-Risk Open-Source License
With a low-risk open-source license, as long as you include the original copyright information in the source code, that is likely all you need to do. You used and revised the original, kept the original copyright information, and went on to build your unique solution with no other obligations back to the copyright holder.
Medium-Risk Open-Source License
With a medium-risk open-source license, things can get a little more interesting. Depending on the specific licensing of the original code, the license may require that all code be freely distributed including any code derived from that original code. So, the license may require that you freely distribute your source code. This would take the "secret" out of your "secret sauce" in your SaaS application.
High-Risk Open-Source License
With a high-risk open-source license, things can get even more interesting. Again, depending on the specific licensing of the original code, the licensing may require that all source code modifications be provided because they are derived from the original licensed code and that the software is provided royalty-free. So, not only would you be giving away your secret sauce, but you may also have a serious legal issue with your white-label reseller program because of the particular open-source license under which part of the code falls.
Beware But Don't Be Scared!
Licensing isn't something we're thinking about every day as software developers, and it can be daunting. But don't be scared! As stated earlier, 70-90% of web and cloud is estimated to be open-source in nature. There's a lot of open-source being used for a lot of projects.
I recommend becoming more familiar with the low-risk open-source license types listed in this article. Learn their names, and review how they work at least at a high level. Then every time you use a new package or module, quickly check it against the low-risk open-source license types. If you don't recognize its license, dig in and learn more before going too far with that particular package or module.
Many organizations have a dedicated effort or team that reviews and documents "approved" packages and modules and open-source licenses. Make sure you are aware of these efforts too.
Contribute To Open Source!
The best way we can thank the open-source community for all its contributions is to get involved ourselves! Get involved. Learn new things. Make connections. Improve your portfolio. Build things useful to others. Boost your career, and help others do the same.
Happy holidays everyone.