What You Should Know if You Are Deploying Open Source in the Cloud
Since the emergence of strong cloud service providers like Amazon Web Services, Google and Rackspace, software development and deployment is increasingly taking place in the cloud. According to Gartner, cloud computing is expected to grow at a rate of 19% this year. Big industry players including Netflix and e-Bay have already turned to the cloud for significant proportions of their operations and offerings. And, in the next few years we are likely to see more and more innovative start-ups like Coupa completely suspended in the cloud, relegating on-premise computing a vestige of a bygone era. At the same time, we are seeing a proliferation of open source floating around in the cloud.
For those of you who are thinking of heading to the cloud, beware that some newer open source software licenses used in popular cloud applications require you to make your code available to downstream recipient,s even though you are not technically distributing the software. Luckily, there are various open source license management solutions that can help safely manage your transition into the cloud. And if you are among the enterprises that can boast operating 100% in the cloud, you can opt in favor of cloud-based solutions.
Growth of Cloud Computing
What makes the cloud particularly attractive to enterprises is that it enables companies to lease access to infrastructure, platforms and software, drastically reducing their overall operating costs. The economies of scale associated with the cloud presents a unique opportunity for customers to achieve the same or greater computing power at a lower cost than would be attainable if they opted for on-premise solutions. Additional drivers behind widespread enterprise adoption of cloud-based solutions include implementation costs that accurately reflect usage, the elimination of maintenance costs, and the increased ability of users to enjoy seamless access to applications across a variety of devices, including tablets and smart phones.
Open Source in the Cloud
While enterprises are shifting from legacy solutions towards the cloud, open source software is gaining significant traction for similar reasons. Gartner projects that 99% of Global 2000 companies will incorporate open source into their operations by 2016. Adopters of both cloud and open source solutions are drawn towards the increased potential for collaboration and lower total cost of ownership. As open source software becomes increasingly available in the cloud, it is important for enterprises to understand how the cloud environment changes license obligations. Before we explore the unique compliance challenges that the cloud poses for software-as-a-service (SaaS) companies, we will briefly outline the obligations imposed by different types of open source licenses in the pre-cloud context.
Permissive vs. Restrictive Open Source Licenses in the Pre-Cloud Environment
Licenses that cover open source code carry unique terms that have implications on code use, modification and distribution. There are two broad categories of open source licenses – the permissive and restrictive types. Permissive licenses such as the MIT and BSD licenses provide minimal obligations on code use, modification and distribution, enabling developers to incorporate open source code into proprietary software, which they could then protect by adding additional license terms.
In contrast, restrictive open source licenses such as GPL do not allow users of covered code to release derivative works under different license terms. In addition, these restrictive licenses require users that distribute modified programs to make their source code available to downstream users, in order to maintain the copy left community’s goal of achieving software freedom. This concept of software freedom refers to the right of all downstream users to access, run, modify and redistribute software containing the covered code. This feature of restrictive licenses renders it impossible to incorporate open source code into proprietary offerings. There is no way to avoid these stringent rules, and the failure to comply with such obligations can lead to severe consequences, including being forced to come into compliance by releasing the asset’s source code, or paying damages for intellectual property infringement.
In the pre-cloud environment, software vendors made their products available to end users through software distribution. Because there was no other means of making software available to users, it was impossible for vendors to escape the distribution clauses in restrictive open source licenses. However, this has changed with the introduction of the cloud.
Cloud Computing’s Challenge to the Distribution-Based GPL Model
Restrictive open source licenses such as GPL only operate to maintain software freedom to the extent that the underlying open source code is part of a distribution. For example, GPLv3 states: ???you have certain responsibilities if you distribute copies of the software: responsibilities to respect the freedom of others. If you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code.??? Before the emergence of the cloud, this license term ensured that any time that software incorporating covered code was deployed to third parties, that distribution would be governed by the GPL terms such that the distributor would be forced to make its code available to users. However, the proliferation of cloud-based solutions threatened to destabilize the GPL model by creating an environment in which for the first time software was made available to users without being distributed.
GPL: Permissive Within the Cloud
In instances where software containing GPL code is made available through network services, the distribution clause is bypassed and the provider does not have to release its source code. Remember the free software reciprocity trigger: ???If you distribute copies of such a program???you must pass on to the recipients the same freedoms that you received.??? However, because software is not distributed in the cloud – it’s simply made available to users as a service – providers do not have to pay these freedoms forward. Rather, they can access the benefits of using free software without being forced to provide those same benefits to their users. This loophole enables SaaS enterprises to embed GPL-covered code into proprietary cloud offerings. Effectively what this means is that within this distribution-free model, the GPL assumes the attributes of a permissive license (think MIT, BSD).
AGPL: The Open Source Empire Strikes Back
For anyone who thought that the cloud rendered the proprietary and open source debate moot, think again – the battle is far from over, it simply relocated to another arena. Before long, the copy left faction of the open source movement regrouped and responded to the threat that the cloud-based model posed to its goal of maintaining software freedom. The weapon of choice that the movement developed and deployed to respond to the unique challenges imposed by the emerging cloud-based environment was the Affero GPLv3 (AGPLv3) which covers popular applications such as PHP-Fusion, Launchpad and SugerCRM.
Unlike the GPL, which relies on the act of distribution to trigger the free software reciprocity clause, the AGPLv3 includes the following term which was articulated specifically for situations in which software is used on a network but is not technically distributed. This clause states that: ???if you modify the program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the corresponding source of your version by providing access to the corresponding source from a network server at no charge, through some standard or customary means of facilitating copying of software.??? This license term applies the distribution-based reciprocity clause to cloud-based software offerings in which users run programs from remote servers.
AGPL in the Private Cloud
AGPL was drafted as a solution to the problem that the public cloud created. Its preamble states that whereas the GPL ???permits making a modified version and letting the public access it on a server without ever releasing its source code to the public???AGPL is designed specifically to ensure that, in such cases, the modified source code becomes available to the community.??? But what happens if an organization uses AGPL code internally? The remote network interaction clause states that, ???if you modify the program, your modified version must prominently offer all users interacting with it remotely through a computer network an opportunity to receive the corresponding source of your version through some standard customary means of facilitating copying of software.??? It appears that the same principle applies in both the public and private cloud contexts – any users have the right to access the modified code and to create their own versions. In the private cloud scenario, these freedoms would extend to any employees, contractors and other parties using the server.
How to Transition Your Organization into the Cloud
Given the new obligations imposed by the AGPLv3, it is critical for cloud-based providers to take inventory of the open source code embedded in their product offerings, and to ensure that their intellectual property policies are in line with the obligations imposed by the various open source licenses covering the code being used. There are a variety of tools available that can assist SaaS enterprises to ensure open source compliance in the cloud. For example, enterprises can scan their software with tools that are specifically designed to detect open source code and provide a list of the license obligations that accompany each component. In addition, a structured Open Source Software Adoption Process (OSSAP) can be used to define acceptable intellectual property license policies for the organization, audit the current software portfolio and incoming code, and ensure compliance through all of the software development and procurement stages.
Open source license management solutions are now accessible to companies in the cloud. Because these solutions are hosted in the cloud environment, they eliminate the need for enterprises to install or update code scanning software. Instead, companies can sign up with a service provider and are given access to software that scans their code, identifies open source and provides a breakdown of the associated license obligations. Such open source license management services are invaluable to SaaS enterprises, particularly given the uncertainties associated with open source in the cloud. In addition to ensuring that organizations understand and are able to meet their open source license obligations, these management solutions position enterprises to respond efficiently and effectively to any instances of non-compliance that are detected. For example, by understanding which components of the software are used in a non-compliant fashion, SaaS enterprises are positioned to replace the infringing code with code that offers similar functionality, or to adapt their policies to ensure adherence to obligations.
The emerging cloud-based model offers immense opportunities but also raises new risks for your organization’s intellectual property. The good news is that there are open source license management solutions available to help your organization make this important transition. For those of you planning on navigating the cloud environment, it is important to take an inventory of your code and to determine if you are using open source properly. Keep in mind that your organization’s intellectual property policies that were developed for the traditional software distribution model will need to be assessed and updated to meet the distinct obligations associated with the cloud environment.
Diana Marina Cooper is an open source corporate strategy consultant for Protecode (www.protecode.com). Cooper obtained a BA in Politics and Governance, a MA in Globalization Studies, and is currently a JD Candidate (2013), pursuing a concentration in Law and Technology.