Considering how integral open source components have become in the product development life cycle, it’s surprising that one of the biggest risks in open source usage is so often ignored. Unfortunately, open source license compliance rarely crosses developer’s minds, mostly relegated to specialized law offices or legal boardrooms.
This situation is understandable given how developers are busy rushing from one sprint to the next, seldom able to think about the licenses of the open source libraries that they are using or how important it is to be compliant.
Occasionally a major legal issue will stir up the passion and fervor of the open source community, spiraling into lengthy reddit strings and snagging headlines — the Facebook React fiasco of last year, for example. In other cases, when the real threat of legal action looms near, legal consultants and open source community veterans will often post online to make sure the corporations are playing nice.
The Story of the GPL SaaS Loophole
Such was the case a little over ten years ago with the issue of a supposed loophole in the GPL open source license that allowed SaaS companies to integrate GPL open source libraries without sharing their code. This “loophole” was intentionally left in version 3 of the GPL due to the fact that letting users interact with a piece of software over the network, does not constitute distribution.
“Distribution is the triggering event of the GPL,” explains Adv. Haim Ravia, chair of the Cyber & Copyright Group at Pearl Cohen Zedek Latzer Baratz, an international law firm with offices in Israel, UK and the US. “In the absence of distribution, a user is merely using the software, and since the act of running the GPL code is not (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Ayala Goldstein. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/the-saas-loophole-in-gpl-open-source-licenses