Welcome!

Linux Containers Authors: Peter Silva, Pat Romanski, XebiaLabs Blog, Gerardo A Dada, Derek Weeks

Related Topics: @CloudExpo, Open Source Cloud

@CloudExpo: Article

Open Source Software License Obligations in Cloud Applications

Most software applications today incorporate some open source software directly or indirectly

The latest technology buzz, after the Internet, telecom, and mobile, is cloud computing. Hype or not, in various names and forms, cloud computing providers - platforms and applications alike - are counting on more than $40 billion in revenue in 2011 alone, growing to more than $241 billion in 2020, according to a recent report on "Sizing the Cloud" by Forrester Research.

Open Source Software in the Clouds
Most software applications today incorporate some open source software directly or indirectly (dynamically linked). Developer's resourcefulness, code reuse, and efficiencies of development make open source an attractive option for all technology organizations. Cloud applications are no exception and many applications deployed in clouds are either entirely open source (think OpenStack or OpenERP Server), or have a significant amount of open source in them. According to the "Future of Open Source Survey" released by Northbridge Venture Partners, there are now more than 470 open source projects targeting cloud computing.

The use of open source software in a cloud application is governed by certain obligations, usually contained in the associated open source license. Managing compliance with software licenses is like any other quality management process. A good quality assurance process makes sure that the deficiencies are discovered and corrected before a product is released to the market.

Once the market discovers a quality problem, correcting it could be costly. Until now, open source software license management has been more rigorously applied to products that were distributed in volume, such as desktop applications, networking devices, entertainment products or mobile devices. Ownership and licensing issues abound in the mass products domain - think Sony vs. LG, Apple vs. the world, Microsoft vs. Google, SFLC vs. Cisco/Linksys, SFLC vs. Samsung/Verizon, etc.

Cloud computing technology and platforms don't introduce new risks on their own, rather cloud-based software applications do. What separates a software application deployed in a cloud from other applications is that generally these applications are not distributed. They are perceived to be less visible from market scrutiny, and also don't fall under many of the obligations associated with copyleft licenses.

Open Source Licenses
The variety of licenses currently governing the use of open source software is extensive, with approximately 80 recognized by the Open Source Initiative (OSI). In reality, less than two dozen are exploited. Almost all open source licenses can be widely categorized into several varieties.

  • Public Domain licenses are basically free-for-all licenses you can do anything with (except sue the author).
  • Permissive licenses, such as MIT, BSD and Apache licenses are most common, as they can be modified and used in any open source or proprietary application as long as the attributions (copyright comments and the names of original authors/organizations) are not deleted.
  • Copyleft licenses have more or less protective (also referred to as restrictive) terms associated with them.
  • Weak copyleft licenses, including Eclipse Public License (EPL) and Mozilla Public License (MPL), allow modification and mixing of the open source code with proprietary code, as long as you make the non-modified open source code available somewhere on line and point to it in the documentation. LGPL (Lesser GPL) licenses are strongest in this category as they require modified code to be released in the source form (unless the application only links to the open source LGPL code and does not statically include it in the application).
  • Strong copyleft licenses, such as GPL version 2 and version 3, impact software that is distributed. Almost all of these licenses require software (using all or part of a copyleft open source software) be released under copyleft obligations (hence the term viral used for these licenses). Any proprietary code that is a modified version of the GPL code must also be made available in source form. GPLv3 specifically disallows use in its entirety or modified form in any DRM applications.

Alfero GPL and Cloud Applications
The Alfero version of the GPL (AGPL) license, issued by the Free Software Foundation in late 2007, goes one step further, extending the GPLv3 rules to applications that are not distributed. These include software developed mainly for in-house applications and software deployed in web services or cloud applications. Specifically, if the software deployed in a cloud application contains, in its entirety or modified form, any AGPL-licensed software, the source code for the entire running application must be made available to the community.

AGPL obligations, in summary, are the following:

  • Freedom of use - no license fee to use, modify, redistribute.
  • Copyleft - reciprocal usage and disclosure/permission requirements.
  • Source Code Provision requirement - source code must be provided with any distribution (propagation) of code (original and modified).
  • Modifications are allowed, but all modified files must have their source code freely available for use and modification by others.
  • Combination with other code is NOT permitted unless the other code is compatible or can be converted to GPL terms [copyleft].
  • Anti-Circumvention Protection - no code covered by GPLv3 may be included in or constrained by any anti-circumvention mechanism (technical or legal).
  • Software Patent License Grant - a software patent that is based in any part on GPLv3 code and distribute the product, you are deemed to grant a license to use, modify and redistribute that patent to all downstream users of the product.
  • "Tivo-ization" clause - if your product (that uses or is based around GPLv3 code) is bound by other licensing terms that are restrictive or otherwise incompatible with GPLv3, you may not convey (distribute) the product.

Certain versions of popular web applications such as SugerCRM, Launchpad and PHP-Fusion are licensed under AGPL.

Last Word...
Just like traditional software, it's important to know what is in your code as early as possible before it goes to market. As with all quality management processes, discovering your license obligations early in the development process reduces the cost and time spent fixing problems right before the product is released. Many cloud applications are not distributed, and therefore don't fall under obligations associated with many copyleft licenses, except the recent ones such as AGPL. To gain a clear understanding of third-party components and their license obligations a process must be put in place where external content is identified, tracked and managed. This can be done within a structured open source adoption process, either manually, or increasingly deploying automated tools.

More Stories By Lacey Thoms

Lacey Thoms is a marketing specialist and blogger at Protecode, a provider of open source license management solutions. During her time at Protecode, Lacey has written many articles on open source software management. She has a background in marketing communications, digital advertising, and web design and development. Lacey has a Bachelor’s Degree in Mass Communications from Carleton University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
Amazon has gradually rolled out parts of its IoT offerings in the last year, but these are just the tip of the iceberg. In addition to optimizing their back-end AWS offerings, Amazon is laying the ground work to be a major force in IoT – especially in the connected home and office. Amazon is extending its reach by building on its dominant Cloud IoT platform, its Dash Button strategy, recently announced Replenishment Services, the Echo/Alexa voice recognition control platform, the 6-7 strategic...
We're entering the post-smartphone era, where wearable gadgets from watches and fitness bands to glasses and health aids will power the next technological revolution. With mass adoption of wearable devices comes a new data ecosystem that must be protected. Wearables open new pathways that facilitate the tracking, sharing and storing of consumers’ personal health, location and daily activity data. Consumers have some idea of the data these devices capture, but most don’t realize how revealing and...
IoT solutions exploit operational data generated by Internet-connected smart “things” for the purpose of gaining operational insight and producing “better outcomes” (for example, create new business models, eliminate unscheduled maintenance, etc.). The explosive proliferation of IoT solutions will result in an exponential growth in the volume of IoT data, precipitating significant Information Governance issues: who owns the IoT data, what are the rights/duties of IoT solutions adopters towards t...
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Complete Internet of Things (IoT) embedded device security is not just about the device but involves the entire product’s identity, data and control integrity, and services traversing the cloud. A device can no longer be looked at as an island; it is a part of a system. In fact, given the cross-domain interactions enabled by IoT it could be a part of many systems. Also, depending on where the device is deployed, for example, in the office building versus a factory floor or oil field, security ha...
An IoT product’s log files speak volumes about what’s happening with your products in the field, pinpointing current and potential issues, and enabling you to predict failures and save millions of dollars in inventory. But until recently, no one knew how to listen. In his session at @ThingsExpo, Dan Gettens, Chief Research Officer at OnProcess, discussed recent research by Massachusetts Institute of Technology and OnProcess Technology, where MIT created a new, breakthrough analytics model for s...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
Video experiences should be unique and exciting! But that doesn’t mean you need to patch all the pieces yourself. Users demand rich and engaging experiences and new ways to connect with you. But creating robust video applications at scale can be complicated, time-consuming and expensive. In his session at @ThingsExpo, Zohar Babin, Vice President of Platform, Ecosystem and Community at Kaltura, discussed how VPaaS enables you to move fast, creating scalable video experiences that reach your aud...
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
IoT is rapidly changing the way enterprises are using data to improve business decision-making. In order to derive business value, organizations must unlock insights from the data gathered and then act on these. In their session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, and Peter Shashkin, Head of Development Department at EastBanc Technologies, discussed how one organization leveraged IoT, cloud technology and data analysis to improve customer experiences and effici...
Everyone knows that truly innovative companies learn as they go along, pushing boundaries in response to market changes and demands. What's more of a mystery is how to balance innovation on a fresh platform built from scratch with the legacy tech stack, product suite and customers that continue to serve as the business' foundation. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, discussed why and how ReadyTalk diverted from healthy revenue and mor...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
The Internet of Things (IoT) promises to simplify and streamline our lives by automating routine tasks that distract us from our goals. This promise is based on the ubiquitous deployment of smart, connected devices that link everything from industrial control systems to automobiles to refrigerators. Unfortunately, comparatively few of the devices currently deployed have been developed with an eye toward security, and as the DDoS attacks of late October 2016 have demonstrated, this oversight can ...
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...