Welcome!

@CloudExpo Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Kevin Benedict, Elizabeth White

Related Topics: @CloudExpo, Open Source Cloud

@CloudExpo: Article

Open Source Software License Obligations in Cloud Applications

Most software applications today incorporate some open source software directly or indirectly

The latest technology buzz, after the Internet, telecom, and mobile, is cloud computing. Hype or not, in various names and forms, cloud computing providers - platforms and applications alike - are counting on more than $40 billion in revenue in 2011 alone, growing to more than $241 billion in 2020, according to a recent report on "Sizing the Cloud" by Forrester Research.

Open Source Software in the Clouds
Most software applications today incorporate some open source software directly or indirectly (dynamically linked). Developer's resourcefulness, code reuse, and efficiencies of development make open source an attractive option for all technology organizations. Cloud applications are no exception and many applications deployed in clouds are either entirely open source (think OpenStack or OpenERP Server), or have a significant amount of open source in them. According to the "Future of Open Source Survey" released by Northbridge Venture Partners, there are now more than 470 open source projects targeting cloud computing.

The use of open source software in a cloud application is governed by certain obligations, usually contained in the associated open source license. Managing compliance with software licenses is like any other quality management process. A good quality assurance process makes sure that the deficiencies are discovered and corrected before a product is released to the market.

Once the market discovers a quality problem, correcting it could be costly. Until now, open source software license management has been more rigorously applied to products that were distributed in volume, such as desktop applications, networking devices, entertainment products or mobile devices. Ownership and licensing issues abound in the mass products domain - think Sony vs. LG, Apple vs. the world, Microsoft vs. Google, SFLC vs. Cisco/Linksys, SFLC vs. Samsung/Verizon, etc.

Cloud computing technology and platforms don't introduce new risks on their own, rather cloud-based software applications do. What separates a software application deployed in a cloud from other applications is that generally these applications are not distributed. They are perceived to be less visible from market scrutiny, and also don't fall under many of the obligations associated with copyleft licenses.

Open Source Licenses
The variety of licenses currently governing the use of open source software is extensive, with approximately 80 recognized by the Open Source Initiative (OSI). In reality, less than two dozen are exploited. Almost all open source licenses can be widely categorized into several varieties.

  • Public Domain licenses are basically free-for-all licenses you can do anything with (except sue the author).
  • Permissive licenses, such as MIT, BSD and Apache licenses are most common, as they can be modified and used in any open source or proprietary application as long as the attributions (copyright comments and the names of original authors/organizations) are not deleted.
  • Copyleft licenses have more or less protective (also referred to as restrictive) terms associated with them.
  • Weak copyleft licenses, including Eclipse Public License (EPL) and Mozilla Public License (MPL), allow modification and mixing of the open source code with proprietary code, as long as you make the non-modified open source code available somewhere on line and point to it in the documentation. LGPL (Lesser GPL) licenses are strongest in this category as they require modified code to be released in the source form (unless the application only links to the open source LGPL code and does not statically include it in the application).
  • Strong copyleft licenses, such as GPL version 2 and version 3, impact software that is distributed. Almost all of these licenses require software (using all or part of a copyleft open source software) be released under copyleft obligations (hence the term viral used for these licenses). Any proprietary code that is a modified version of the GPL code must also be made available in source form. GPLv3 specifically disallows use in its entirety or modified form in any DRM applications.

Alfero GPL and Cloud Applications
The Alfero version of the GPL (AGPL) license, issued by the Free Software Foundation in late 2007, goes one step further, extending the GPLv3 rules to applications that are not distributed. These include software developed mainly for in-house applications and software deployed in web services or cloud applications. Specifically, if the software deployed in a cloud application contains, in its entirety or modified form, any AGPL-licensed software, the source code for the entire running application must be made available to the community.

AGPL obligations, in summary, are the following:

  • Freedom of use - no license fee to use, modify, redistribute.
  • Copyleft - reciprocal usage and disclosure/permission requirements.
  • Source Code Provision requirement - source code must be provided with any distribution (propagation) of code (original and modified).
  • Modifications are allowed, but all modified files must have their source code freely available for use and modification by others.
  • Combination with other code is NOT permitted unless the other code is compatible or can be converted to GPL terms [copyleft].
  • Anti-Circumvention Protection - no code covered by GPLv3 may be included in or constrained by any anti-circumvention mechanism (technical or legal).
  • Software Patent License Grant - a software patent that is based in any part on GPLv3 code and distribute the product, you are deemed to grant a license to use, modify and redistribute that patent to all downstream users of the product.
  • "Tivo-ization" clause - if your product (that uses or is based around GPLv3 code) is bound by other licensing terms that are restrictive or otherwise incompatible with GPLv3, you may not convey (distribute) the product.

Certain versions of popular web applications such as SugerCRM, Launchpad and PHP-Fusion are licensed under AGPL.

Last Word...
Just like traditional software, it's important to know what is in your code as early as possible before it goes to market. As with all quality management processes, discovering your license obligations early in the development process reduces the cost and time spent fixing problems right before the product is released. Many cloud applications are not distributed, and therefore don't fall under obligations associated with many copyleft licenses, except the recent ones such as AGPL. To gain a clear understanding of third-party components and their license obligations a process must be put in place where external content is identified, tracked and managed. This can be done within a structured open source adoption process, either manually, or increasingly deploying automated tools.

More Stories By Lacey Thoms

Lacey Thoms is a marketing specialist and blogger at Protecode, a provider of open source license management solutions. During her time at Protecode, Lacey has written many articles on open source software management. She has a background in marketing communications, digital advertising, and web design and development. Lacey has a Bachelor’s Degree in Mass Communications from Carleton University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
"DX encompasses the continuing technology revolution, and is addressing society's most important issues throughout the entire $78 trillion 21st-century global economy," said Roger Strukhoff, Conference Chair. "DX World Expo has organized these issues along 10 tracks with more than 150 of the world's top speakers coming to Istanbul to help change the world."
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are focused on SAP running in the clouds, to make this super easy because we believe in the tremendous value of those powerful worlds - SAP and the cloud," explained Frank Stienhans, CTO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained , Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are still a relatively small software house and we are focusing on certain industries like FinTech, med tech, energy and utilities. We help our customers with their digital transformation," noted Piotr Stawinski, Founder and CEO of EARP Integration, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Any startup has to have a clear go –to-market strategy from the beginning. Similarly, any data science project has to have a go to production strategy from its first days, so it could go beyond proof-of-concept. Machine learning and artificial intelligence in production would result in hundreds of training pipelines and machine learning models that are continuously revised by teams of data scientists and seamlessly connected with web applications for tenants and users.
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I will be talking about ChatOps and ChatOps as a way to solve some problems in the DevOps space," explained Himanshu Chhetri, CTO of Addteq, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are an IT services solution provider and we sell software to support those solutions. Our focus and key areas are around security, enterprise monitoring, and continuous delivery optimization," noted John Balsavage, President of A&I Solutions, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
The financial services market is one of the most data-driven industries in the world, yet it’s bogged down by legacy CPU technologies that simply can’t keep up with the task of querying and visualizing billions of records. In his session at 20th Cloud Expo, Karthik Lalithraj, a Principal Solutions Architect at Kinetica, discussed how the advent of advanced in-database analytics on the GPU makes it possible to run sophisticated data science workloads on the same database that is housing the rich...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
"We want to show that our solution is far less expensive with a much better total cost of ownership so we announced several key features. One is called geo-distributed erasure coding, another is support for KVM and we introduced a new capability called Multi-Part," explained Tim Desai, Senior Product Marketing Manager at Hitachi Data Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
SYS-CON Events announced today that SkyScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. SkyScale is a world-class provider of cloud-based, ultra-fast multi-GPU hardware platforms for lease to customers desiring the fastest performance available as a service anywhere in the world. SkyScale builds, configures, and manages dedicated systems strategically located in maximum-securit...
DX World EXPO, LLC., a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.