Have you ever wondered whether it’s ok to copy and paste code from an open source project? If you have, you’re not alone. A quick look around several developer websites shows a number of variations on this age-old question:
1. “I copy and paste a lot of open source code to meet very tight project deadlines. Is this ok?”
2. “Is copying and pasting from an open source project really a problem?”
3. “How much code can I copy and paste from an open source project?”
The short answers are:
It is never ok to copy and paste code from an open source project directly into your proprietary code. Don’t do it. Just don’t. Even if you’re on a tight deadline. Even if it’s only one loop. Not only does copying and pasting code put your company (and perhaps your job) at risk, but it’s not leveraging the benefits that come with using open source code. Besides, it’s simply bad manners to not play by the open source community’s rules.
Still don’t believe me? Then read on about licensing, bug fixes, security vulnerabilities, and being a good citizen in the open source community. Adopt these best practices. Your job could depend on it!
Open Source Licensing
The most obvious reason to not copy and paste code from open source projects is licensing. Don’t be confused: Even though open source code is free, it still has licensing guidelines that dictate what you can and cannot do with it. And while some open source licenses are permissive, others are more restrictive.
Failing to understand the licensing requirements of the open source code you are copying and pasting could put your company’s intellectual property — the code that makes up the product your company sells in order to make money to pay your salary — in jeopardy. Take, for example, copyleft licenses. Copyleft licenses give you permission to use and modify open source code as long as you make any derivative work freely and openly available. This means that by copying and pasting open source code under a copyleft license into your program, you are agreeing to make your company’s entire codebase open source as well. Do you really want to give away your company’s intellectual property for a programming shortcut?
In addition, by not adhering to open source licenses, you put your company in violation of copyright laws, and there are stiff fines associated with copyright violations. In the US, each instance of a copyright violation could result in a fine of as much as $150,000.
Not Leveraging the Community for Bug Fixes and Security Threats
The open source community prides itself on its ability to collaborate to create the best possible software available. It attracts the best developers — and a higher number of developers — who are drawn to the creativity of a project and not confined by the rules of corporate programming.
One of the biggest advantages of open source projects is you have more eyes looking at, improving, fixing, and securing the code. Because there is more transparency and ongoing development, open source projects are continually improving and security gaps are closed more quickly than in proprietary software.
If you copy and paste code, you lose the benefit of subsequent improvements and fixes made to the original open source project. By copying and pasting code instead of properly calling the open source library, you sever the connection between your software and the original open source code. This cuts you off from any future innovation of that open source project, which means that if the original open source library is updated for any reason — a new functionality, a bug fix, or a security vulnerability — you won’t know that your copy and pasted code needs to be updated.
Copy and pasting is not the most effective way to use open source code. Do you really want to take the chance that a vulnerability — and subsequent fix — is discovered after you copy and paste the code into your project? Because you copy and pasted the code, you would have no way of knowing the code presents a security threat. Imagine being singularly responsible for exposing your company to that level of risk?
Not Playing by the Rules of the Community
The open source community is built on a culture of cooperation. They believe everyone plays an integral part and the contributions of the individual are what makes the whole stronger. They are passionate about what they do. Some argue it’s even a lifestyle.
In order to benefit from the code developed by these projects, you must respect their rules. Copy and pasting code goes against the ethos of collaboration and transparency at the heart of the open source community.
Don't risk upsetting the community. If you want to remain compliant with licensing, keep up to date on bug fixes and security vulnerabilities, and remain in good standing with the open source community, you need to never, ever, ever copy and paste code again. Ever.
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Julie Peterson. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/copy-and-paste-code