The Channel logo

back to article Software compliance is not just about licensing

For many companies, software compliance is just about making sure that all copies of a particular application in use have a valid vendor licence. There's plenty of software around to try and ensure that all licences are valid and all users covered, to stop organisations like the Federation Against Software Theft (FAST) from …


This topic is closed for new posts.

What's the problem?

This is no big deal.

Policies and practices concerning use of third party code are just another aspect of normal software development, like unit testing and data protection compliance.

Any developer halfwitted enough to copy and paste third-party code without looking for and considering implications of licensing statements has no business writing software.

Just because you can google it, doesn't mean you have the right to use it for whatever you want without permission.



Less with the FUD

If you use copyrighted code to create your own piece of software, then you need permission from the copyright holder to distribute it anywhere outside your own four walls. That has always been the case, ever since the test case when it was decided that copyright applied to computer software.

The fact that some authors are willing to give you permission to use their copyrighted code, under certain conditions, does nothing to alter this.

If you wanted to use portions of Microsoft software in your own products, you would need permission from Microsoft -- and even if they deigned to grant such permission, there would no doubt be onerous conditions attached to it.

If you use GPL code in your products, then you are bound by the conditions of the GPL -- which include the condition that you must make available your modified software under the terms of the GPL. That is absolutely fair. GPL software represents people's own hard work which, out of the goodness of our own hearts, we have decided to share with you. That's already more than the likes of Microsoft, Borland or Oracle have ever done! If you choose to accept our kind offer, all we ask is for you to share your own hard work with others as we shared ours with you. And if you are unwilling to do that, then we are unwilling to let you use the software we wrote. We wrote that software because we believe it is the best tool for the job, and we chose to share it with everyone because we believe in sharing the fruits of human endeavour. We did not write it so that people could lock up in proprietary, restricted applications.

Just make the Source Code available -- and include whatever it takes to get it to build with the latest GCC -- and you won't have problems. That is all we, as authors of GPL software, ask. Otherwise, you will have to rely on the "fair dealing" provision of copyright law -- in other words, keep your modified work to yourself.


as usual, easier with Open Source code and development

If it is GPL'd then you can get at the source to check your source code for bits that you need to rewrite (I suggest checking _before_ the launch, the bit about having to release it all under GPL is hyperbole) .

A probably more common situation is where the code subcontracted into your application belongs to someone else and you can't see their source code because they don't publish it. So they might ambush you at launch, that being the first chance they get to check your object for their copyright material.

When an organisation declines to release an application as Open Source despite it being clear that this is the rational thing to do my suspicion nowadays is that they are unable to say that nobody else owns parts of the code, and that, given average competence, means that they are using it without a licence to do so.

I think that the Scottish NHS should release the General Practice computer system GPASS as Open Source. They say it is impossible. I've therefore seen none of the source code.


Your assertion from the GPL is incorrect

Your sentence,

"Essentially, under section 2 of the Terms and Conditions of Copying, Distribution and Modification, if you happen to utilise a piece of code that has been distributed under the GPL - just one piece - then the whole of the final released code that includes that GPL code in it also has to be distributed under the GPL."

falls foul of the most common misconception of the GPL. You do NOT have to license all of your code under the GPL if you use a chunk of GPL'd code. If you read the GPL carefully, you will see that:

"if identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works."

This means that if your program uses a chunk of GPL'd code and your program is not a derivative work, then you are not restricted at all - you can license it in any way you like. You only need to acknowledge and distribute the chunk of GPL'd source code you used.

However, the GPL goes on to clarify:

"But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it."

This is saying that if you create a program which is BASED ON a GPL'd program, then you must distribute the whole program under the GPL. This is quite diferent from just using a chunk. For example, if you create an enhanced word processor program which is based on an existing GPL'd word processor program, then this is regarded as a derivative work and must be distributed under the GPL.


GPL doesn't hijack your code

The main thrust of the article is that, if you naively copy-paste 100 lines of code into your program, then your entire work becomes "virally infected" with the GPL. This overlooks 2 important things:

a)A few lines of code would probably be allowed as fair use.

b)You always have the option to just remove the GPL'd bits. If this is only a few hundred lines, you can simply re-write them.

Obviously, if you used a large fraction of GPL code in your work, it would be impractical to re-write it - and you'd then have to release the entire thing as GPL. But that's only fair if you didn't do the work yourself! It's simply FUD to talk about the GPL "accidentally ambushing" a commercial project.

Silver badge

I think you missed the point..

Sure the author screwed up his argument by using a poor example.

But the point of the argument is that sometimes your software developers do use a piece of code that is available in the public without regard to the licensing aspect. (I'm a programmer Jim, not a lawyer... ) ;-)

This is a very common problem and most often a hard one to detect.

With respect to GPL, it appears that not everyone seems to have a clear handle on it.

Suppose you're working with a Linux kernel and your company has a nifty new way to handle virtualization. This would require doing a bit of rewrite on parts of the kernel as well as some application software to take advantage of your new "hooks".

Under GPL the code mods in the kernel become OpenSourced. The application that takes advantage of the "hooks" can still be proprietary.

I think that its a better example of GPL.

But back to the article. I think that the point was to announce a piece of software that will scour known OpenSource code and compare it to your code. If there are any similarities, it identifies it and then allows for a document trail of the code and how you resolved the issue.

Does that make sense?


Just make sure you only steal BSD or MIT code.....

... it works for microsoft.

For years winsock was a lightly modified version of BSD sockets, and, they managed to modify a few lines of Kerebros and patented the mods so that no one can legally connect to NTFS without paying royalties.


Hard to enforce?

There's a couple of problems. I think the first one is, is there even such a thing as "commodity" code anyway? The thing about the GPL is who can actually enforce it? If a really big company violated the GPL who would have the money to take legal action? More to the point has the GPL even been tested in court?

Anonymous Coward

Open Source Compliance

Clive is right. The new model of development presents unique challenges. Compliance oversight necessitates re-coding, costing the company time, money, resources, and creates significant legal issues. With development centers spread out now to different countries, this lack of control significantly increase business risks.

Using open source detection products, companies can find out any open source software code in their product after the fact; after it has already been incorporated. But by then, it is already too late.

Corporate legal departments should establish the open source review and approval processes for each request and manage the process of introduction of open source software into their products. Lecorpio ( is one of the companies that provide workflow solutions to corporate legal departments to implement the open source compliance policy.


Poor companies...

Aww, poor little companies... They want to get code for free to save their precious time and money. Great, I do the same. But then they do NOT want to allow other people to also save time and money by reusing code. Isn't it adorably cynical? I almost pity the poor milli/billionaires.

While not outright FUD, this article smells so strong of it that it's hard not to notice.

This topic is closed for new posts.



Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe