Open source software usage is growing across all industries, but this year’s Open Source Security and Risk Analysis (OSSRA) report from Black Duck shows the pervasiveness of security vulnerabilities and license compliance risks. Black Duck conducted audits on more than 1,000 commercial applications in 2016 and analyzed the anonymized data. The audits were primarily related to merger and acquisition transactions but span a wide array of industries, such as healthcare, manufacturing, financial services, aerospace, aviation, and retail.
Open source security and license compliance issues can both pose serious financial threats to a company. Black Duck’s findings show 96% of applications scanned include open source software and the average app included 147 unique open source components. The majority of these applications (67%) contained security issues which have been publicly known for an average of four years. These included high-risk and well-known vulnerabilities such as Poodle, Freak, Drown, and Heartbleed.
License compliance issues were even more widespread than the security issues. Black Duck’s audits found 85% of the applications had components with license conflicts. Although 75% of the audited applications included GPL-licensed components, only 45% of them were fully in compliance with the license. The audits also revealed that 53% of the scanned applications had components with “unknown” licenses, which generally means the components were used without permission from their creators.
How GPL Compliance Efforts Affect the Future of the Copyleft Ecosystem
Stephen O’Grady’s recent article on Redmonk.com hails the decline of GPL, referencing repositories surveyed by Black Duck that demonstrate the once-dominant GPL license is “steadily eroding, giving way to licenses at the opposite, permissive end of the spectrum.” Although developers and companies are readily embracing open source software, the trend is towards more permissive licenses.
“In Black Duck’s sample, the most popular variant of the GPL – version 2 – is less than half as popular as it was (46% to 19%),” O’Grady said. “Over the same span, the permissive MIT has gone from 8% share to 29%, while its permissive cousin the Apache License 2.0 jumped from 5% to 15%.”
In a reaction article on Opensource.com, Jono Bacon said he has witnessed this same trend with the GPL falling out of favor in terms of practicality for business owners who are uncomfortable with meeting its black and white demands.
“In recent years though we have seen a newer generation of developers form for whom there is a less critical, and if I dare say it, less religious focus on freedom,” Bacon said. “For them, open source is a pragmatic and practical component in building software as opposed to an ethical choice, and I suspect this is why we have seen such a growth in the use of MIT and Apache licenses.”
The complexity of compliance is one of the chief drawbacks for those who feel uncomfortable using GPL-licensed code. If Black Duck’s open source application audits are any indication, commercial adoption of the GPL has not come with adequate education on license compliance.
However, GPL enforcement rarely leads to litigation. In an article that outlines the Free Software Foundation’s (FSF) stance on the role of lawsuits in GPL compliance, Donald Robertson said compliance is almost always an educational matter.
“Most violators are unaware of their obligations under the license and simply need additional help to come into compliance,” Robertson said. “Almost all GPL compliance cases end quietly with the violator correcting their mistakes, with only a minimal notification of past recipients of the then-violating distribution that anything has happened.”
Robertson emphasized that lawsuits should be a last resort but must remain a legitimate option. FSF’s compliance efforts focus on educating violators, but the organization reserves the right to take action on those who knowingly choose to violate.
“The threat of litigation provides leverage that we need with the rare violators whose GPL compliance problems are not merely mistakes, but are intentional attempts to limit their users’ freedom,” Robertson said. “While compliance work is primarily educational, we need a tool that can work with the rare few who are already educated but chose to violate anyway. Copyleft was designed from the start to serve as that tool.”
Software Freedom Law Center president and executive director Eben Moglen spoke at the SFLC’s conference last October about open source license compliance. He urged listeners to consider the perception of the GPL in the industry at large when weighing the costs of litigating compliance.
“We are not and we never were copyright maximalists,” Moglen said. “We did not do what we have been doing for the past 30 years to build free software on the basis of the assumption that freedom required us to chase down and punish everybody who ever made a mistake or who even deliberately misused copyrighted software made for sharing.”
Moglen said that in situations where it is appropriate to make an example, it is important to declare that you are in a last-resort situation with no other options besides litigation. Securing compliance by force can damage companies’ trust in using the GPL.
“If Richard Stallman and I had gone to court and sued a major global public company on a claim of copyright infringement that was weak enough to be thrown out of court on a motion to dismiss, we would have destroyed the GPL straightaway,” Moglen said. “If we had shown that we were prepared to risk large on coercion, even against a bad actor in our own judgement — if we had done that without adequate preparation to be sure that we won – we would have lost an example of coercion and nobody would have trusted us again.”
Moglen cautioned listeners not to be too quick to take action that might cause people to question whether there is something wrong with copyleft. He advocated spontaneous compliance, as opposed to constantly policing violations, as the most effective way to ensure the future of the GPL.
“We have an opportunity to put this free software where we want it, which is everywhere, and to make it do what we want, which is to spread freedom,” Moglen said. “We’re not in a place where the difficulty is how do we get enough ammunition to force everybody to comply. We don’t need ammunition. We need diplomacy. We need skill. We need to work together better. We need to understand how that working together purposively brings us to the point where everyone is not afraid of FOSS anymore and we are not worried about their complying anymore. We are just all engaging and leading the task of making free software.”
Moglen encouraged diplomacy and discretion when it comes to compliance because the long-term credibility of the free software community is at stake.
“I agree with the people who have suggested that if a campaign of coercive compliance is carried just a moment too far, willingness to use copyleft among the ￼rational businesses of the world will decline to a point which is dangerous to freedom,” Moglen said. “Because I do believe that copyleft is important to freedom.”
While Black Duck’s recent audits show that companies struggle with open source risk management and license conflicts are rampant, the good news is that the world is embracing open source software in every industry. Engineers and product managers may not have a full grasp of the requirements of the GPL, but a compliance approach that focuses on education will go a long way towards building a future that includes copyleft software at the core of innovation.
Feels like what Moglen is saying here is: “We don’t want to take it to court because it we do the courts will prove that what we have been asserting all along is false, and so better to assert a falsehood and hope people will believe it than to actually risk having the falsehood exposed?”
Note, I am not pro or con GPL, I recognize it exists and that many people value it and I respect the choices of those people.
But I don’t like it when people assert that falsehoods are truth, and as far as I can tell that is what happens when FSF claims that GPL has legal meaning but do their best to avoid having it ever tested in court. And I have felt this about GPL for many years, it’s not an opinion I just recently formed after reading this article.