Slaying the Dragon of OSS Legal Compliance with the Advanced Legal Pack

It goes without saying that open source software (OSS) dependencies are growing explosively. Along with that maturity comes an increasingly complex web of licenses, terms, and legal necessities. And while we’ve spoken at length about the crucial role of license compliance, the focus has been on leveraging policy management to ensure developers are choosing components that mitigate legal risk.

However, open source software is not free. Each license comes with a plethora of legal obligations. Even if developers are choosing components that align with your organization’s policies, that does not mean it is free from those legal obligations

The most common legal obligations are known as ‘attributions’. These require the disclosure of an OSS component’s license text, notice text, copyright holders, contributors, and source code. In a typical application with 260 dependencies gathering that data can sap up to 58 hours of productivity.

Ignoring these obligations violates the terms of the OSS license, exposes an organization to legal risk, prevents distribution to various cloud marketplaces, and ignores international standards of compliance.

Legal Burden for Development Teams

Given this complex array of licenses, obligations, and risks, legal organizations have a tendency to respond in an hostile or crude fashion. They often require development organizations to collect their own legal data or place draconian restrictions on which OSS dependencies can be used, blocking all but the most permissive licenses. 

That has a negative effect both on the developers’ quality of life but also on their creativity. And a reduction in OSS choice is a competitive disadvantage for the organization as a whole.

These processes are also opaque to development organizations. They are often asked to collect legal data whose necessity is unknown to them, and provide an inordinate amount of information, when only a fraction of it (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Dariush Griffin. Read the original post at: