Linux, Android, Firefox, WordPress – open-source software, or OSS, powers much of our everyday life. While OSS has brought great benefits, OSS users risk opening up their own software to third party use. Recent development could increase that risk.

What is OSS?

OSS is software that anyone can use, modify and share, for free. OSS is governed by one of a number of OSS licences, which differ in how permissive they are. All businesses are likely to use OSS in some form. The main risk, though, is whether businesses can protect the developments they make to or using OSS – some OSS licences require those developments to be licensed for free. OSS can therefore ‘taint’ a business’s own software. This is something to look out for both in internal projects and when assessing an M&A target.

Background: tension between OSS developers and business users

Some OSS developers think business users don’t use OSS in the spirit in which it was created, because they don’t contribute new OSS code back to the community. This first became an issue with Application Service Providers (a smaller-scale, early version of SaaS): ASPs made software functionality available remotely, without distributing copies of the software or its code to end-users. Early OSS licences, like version 2 of the GNU General Public Licence (GPLv2), made copying or distributing the software conditional on licensing any modified version of that software under GPLv2. Many business users argued that using modified versions of software in an ASP context didn’t involve copying or distribution - so the licensing provisions didn’t apply to their modification.

The GNU Affero General Public License (AGPL) is the best-known licence trying to tackle this issue. It requires that any modification of the software is made available on an open-source basis when it can be accessed over a network (eg online). But software is modular and some businesses interpret this condition very narrowly: they argue that, as long as they leave the AGPL-licensed software itself unmodified, they can freely offer services based on and interacting with it, without opening up their own source code. Indeed, parts of the back-end software powering many major cloud-providers are AGPL-licensed OSS, while most of the software around it - which offers customers added value - remains closed-source.

New OSS licence seeks to open up more code

Many OSS developers have become big businesses themselves – and they’re not happy with the narrow interpretation of the AGPL. MongoDB, Confluence and Redis Labs are among the big names that have re-released some of their software under new licences to directly tackle what they see as free-riding by some SaaS providers. MongoDB has come up with its own licence, the Server Side Public Licence (SSPL). Under the SSPL, if access is offered to the functionality of software, and the main value of that access comes from SSPL-licensed software, any of the software facilitating that access must be released on an open-source basis. To avoid attempts to apply narrow interpretations like those applied to AGPL, the SSPL specifies that the source code released must allow users to run the service themselves and includes a nearly exhaustive list of software that is covered – including for management, backup, storage, hosting, user interface and APIs.

This has provoked strong reactions, with some prominent commercial users of MongoDB dropping the software from their distributions (eg Red Hat and Debian). And others have developed compatible alternatives (like Amazon’s DocumentDB). But these responses have so far been contained to a few major players. Members of the Open Source Initiative, an industry body, have raised concerns as to whether the SSPL is compatible with other licences governing parts of the source code that the SSPL targets and the lack of consultation over the SSPL.

Conclusion: watch out for OSS, particularly in M&A

Whether or not the SSPL or similar licences spread, these developments underscore the need for legal teams to be even more vigilant to the presence of OSS in a company’s assets – including in M&A due diligence.