How you can comply with open source license attribution
Posted by Lacey Thoms on Fri, Jun 03, 2011 @ 08:43 AM
Today, many software products or equipment that contains software, include code from a variety of sources. Increasingly, data points to extensive proliferation of third party content in software. The external code may be supplied by contractors, outsource suppliers, commercial vendors, open source package providers (such as Apache Foundation), or simple code snippets available on most websites that target the developer community. The best software developers today know how to reduce the development pain and speed up quality code delivery by finding and using suitable off-the-shelf code. This is code re-use in its finest form, enabled by the ubiquitous access to off-the-shelf software, and driven significantly by the open source software phenomenon.
Most software licenses, be they open source or commercial, contain an attribution clause. The attribution clause requires that the source of software be identified. In many cases, these clauses require that the conditions under which the original software was made available to the product developer should also accompany the product.
Why is there an attribution clause in an open source license? The fact is that such a small requirement creates a strong deterrent to those that would otherwise take the software, simply strip all information that identifies the source of creativity, and pretend the code is their own.
Best practices for distribution of products that contain software include identifying all third party content in the software and ensuring compliance to licensing obligations. Compliance with the attribution clause of these licenses generally takes the form of an attribution document, listing all third party software and providing the appropriate copyright and license information. An attribution document includes, at minimum, a list of copyrights and a list of licenses.
List of copyrights:
Most licenses, open source or commercial, require that a copy of the copyright, patent, trademark, and attribution notices from the source software be distributed verbatim with the product using that software. Examples are GNU Public License (GPL), Microsoft Public License (MPL), and MIT license. Note that even if the source code is not distributed with your product, the copyright and other attribution must be distributed with your software.
Some open source software licenses (such as GPL) require that the copyright, patent, trademark and distribution notices from the source of the work that is included in the header of the original file to be also distributed verbatim in the header of your distributed file. That is, you are not permitted to remove the copyright notice from file headers, even if you modify the code.
List of licenses:
Most software licenses require that a copy of the license must be bundled with the binary or source distribution of the code. If the code is used in an environment where there is a user interface that can display the license, then the license should be made available and made readable on the user interface. For example, if your smart phone application uses an open source software distributed under Modified BSD license, then you have to make that license text available with the phone and make it accessible, and readable, on the mobile phone screen.
Create an attribution document:
- First you have to identify all third party content in your software. Automated tools such as Protecode’s System 4 can create a software Bill Of Materials, and identify all third party packages, copyrights and licenses quickly and accurately.
- Next you have to identify the obligations associated with each package and it’s associated license. Protecode’s automated License Obligations Report creates a good starting point for your licensing staff.
- Consolidate the list of copyrights and licenses in a single document. Protecode analysis reports simplify this function to a couple of key presses.
- Consolidation of all copyrights and licenses in a single location simplifies compliance and distribution of third party software attributes.
What are your organization's best practices for complying with license attribution?
Learn more about open source compliance, download our guide on the 6 most popular licneses and their obligations