Open source: Companies skipping security update face big risk Watch Now

Video: Open source: Companies skipping security update face big risk

From outside programming circles, software licensing may not seem important. In open-source, though, licensing is all important.

So, when leading Linux company Red Hat announces that -- from here on out -- all new Red Hat-initiated open-source projects that use the GNU General Public License(GPLv2) or GNU Lesser General Public License (LGPL)v2.1 licenses will be expected to supplement the license with GPL version 3 (GPLv3)'s cure commitment language, it's a big deal.

Read also: How Red Hat's strategy helps CIOs take baby steps to the cloud (TechRepublic)

Both older open-source licenses are widely used. When the GPLv3 was released, it came with an express termination approach that offered developers the chance to cure license compliance errors. This termination policy in GPLv3 provided a way for companies to repair licensing errors and mistakes. This approach allows license compliance enforcement that is consistent with community norms.

Other companies -- CA Technologies, Cisco, HPE, Microsoft, SAP, and SUSE -- have taken similar GPL positions.

This doesn't apply, of course, to Linux itself. Linus Torvalds has made it abundantly clear that Linux has been, will now, and always shall be under the GPLv2.

So, what does all this mean? The kernel developers came up with the easiest explanation:

If you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.

Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder; and you cure the violation prior to 30 days after your receipt of the notice.

The purpose? The top Linux developers explained, "Our intent in providing these assurances is to encourage more use of the software. We want companies and individuals to use, modify and distribute this software. We want to work with users in an open and transparent way to eliminate any uncertainty about our expectations regarding compliance or enforcement that might limit adoption of our software. We view legal action as a last resort, to be initiated only when other community efforts have failed to resolve the problem."

In its new position statement, Red Hat explained that the GPLv2 and LGPL, as written, has led to the belief that automatic license termination and copyright infringement claims can result from a single act of inadvertent non-compliance. Indeed, some people believe a singly copyright violation could lead to a lawsuit even if the copyright holders haven't bothered to tell the alleged violators of what was going down before seeking legal recourse.

Within Red Hat's non-commercial software family, the WildFly, GlusterFS and Pulp projects have added the language. These provide core components of Red Hat's JBoss Middleware, Red Hat Gluster Storage, and Red Hat Satellite products. Other Red Hat-based projects considering this license protection include Anaconda, Red Hat's operating system installation program; Candlepin; the Cockpit server manager; and Koji, the RPM package builder.

Why is Red Hat bothering with this when it's already incorporated the cure commitment language with Red Hat Enterprise Linux (RHEL)? Red Hat's senior commercial counsel, Richard Fontana, explained:

"License selection is a form of legal decision making, but for as long as I've been at Red Hat, engineers have been given significant discretion to choose licenses for the projects they maintain, within certain boundaries (for example, expectations to pick from a small set of widely-used, de facto standard licenses). This reflects not only our corporate traditions of developer empowerment, but also our view that engineers typically have the greatest competence to determine the appropriate license strategy for growing user and contributor communities around their projects."

Both historically and today, many Red Hat engineers choose GPLv2 or LGPLv2.1 for their projects. Over time, these often incorporate contributions from copyright holders other than Red Hat.

Therefore, said Fontana, "We are extending the GPLv3 termination policy to users of our GPLv2/LGPLv2.1 code because we consider it the right thing to do. The cure permissions offer additional comfort that users of our code have reasonable assurances of quiet use of that code, even if there is a temporary license noncompliance by a third party redistributing our code, due to misunderstanding or otherwise. ... We hope that others will also join in this endeavor to reassure the open source community that good faith efforts to fix noncompliance will be embraced."

Read also: From Linux to cloud, why Red Hat matters for every enterprise

He makes an excellent point. If your company or group is creating open-source software under a license without copyright cure commitment language, you'd be wise to consider adopting one. It will go a long way to reassuring any potential legally concerned partners and customers that they won't have any worries about contributing to or using your software.

Related stories