Open Source Compliance Script (Beta)

Try out the open source compliance bot.

Component Information

Note: Modification only means code changes, not configuration changes

Use Case

This is a simple open source compliance script. The rules it uses are customary for companies ingesting open source for use in proprietary product development. “Customary” assumes a median level of risk tolerance, so the rules might not work for everyone. If you are developing an open source product, the rules are different, and focus instead on open source license compatibility.

The rules for this bot are, roughly, as follows. The rules are designed to eliminate (and approve) the most common fact patterns first. Any set of facts no eliminated this way is tagged for review. There is no way to handle all fact patterns; a good process has the goal of eliminating review for 90-95% of all fact patterns.

  • Permissive licenses work for any use case. If you pick any permissive license, the use is therefore approved. This leaves copyleft licenses only.
  • Any open source license (except AGPL) works in any use case, absent distribution. Most open source licenses have no requirements absent distribution. This leaves distributed copyleft software, or AGPL.
  • Weak copyleft other than LGPL is approved for distribution if you do not modify the software. This “rule” is intended to enable approval in most cases, as open source software is usually unmodified. If you do not modify software under a weak copyleft license, compliance only requires delivery of notices.
  • The rules applicable to these remaining facts are:
  • GPL works for distribution only for whole programs.
  • LGPL works for distribution only for dynamically linked libraries.
  • A/L/GPL 3.0 do not work for embedded consumer devices. These uses are not approved.
  • Any modification of copyleft software triggers an ad hoc review.

These rules represent a median corporate open source policy, and they are intended to eliminate ad hoc review in 99% of use cases. But no policy can, or should, eliminate all needs for review.

This script does not handle non-standard open source licenses–that tail is too long.

Some additional color:

  • Distribution means delivering a copy of software to others. It does not include server-side SaaS.
  • Modification means code changes, and does not include mere configuration changes or integration with other software via an unmodified API.

This is not legal advice, or it would come with a bill!