Understanding the different types of software licensing can be complex. Proprietary softwatre licenses and open source software licenses are relatively easy. But there’s a third category: source available licenses. These are possibly the most confusing license category. Source available software falls in between commercial and open source licenses. They’re not exactly proprietary and not exactly fully open.
Where it becomes most confusing is that source available licenses look a lot like open source. This is because the source code is available, and yet there are risks inherent in source available licensing that don’t occur with open source. If these aren’t sufficiently accounted for, companies could short-circuit their development lifecycle and interrupt product delivery. To understand why source available is so complex, it’s vital to first discuss the different types of software licensing.
What Makes Source Available Different
In general, there are a few different forms of software. Proprietary software is easy to understand: the code is obscured and can only be sold or used by the corporation that created the software. Open source software is available for any use, commercial or otherwise. Licenses for open source fulfill the FSF Four Freedoms or the OSI Open Source Definition, depending on your desired interpretation.
Within open source, there are a few different subtypes of license:
- Permissive – A subset of open source that loosens requirements on redistribution and derivative works.
- Copyleft – An open source license that places stricter requirements on redistribution and derivative works.
- Public Domain Equivalent – A license that is equivalent to making the source code public domain.
Source Available licenses are distinct from proprietary and open source licenses because they don’t guarantee the same freedoms as open source. The source code or installers are publicly available, which is why they’re called “source available,” but that is where the confusion begins.
Source available licenses are closest to commercial and proprietary licenses. Because they have code and/or binary artifacts available, however, source-available software is often confused with open source software. It doesn’t help that sometimes source available software often isn’t clearly defined.
What Source Available Licenses Look Like
Source available software is typically published in the same places as open source. It works this way because, technically, the source code is able to be published and thus exposed. This creates issues because although a developer won’t mistake a commercial piece of software for open source, they might find a source available program on GitHub or StackOverflow and integrate it without looking too closely.
This creates problems down the line. To understand the differences, let’s examine a few source available licenses:
- BSD-3-Clause No Nuclear. This is the same as a BSD-3-Clause license with one major change. It adds on at the end that “You acknowledge that this software is not designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear facility.” The central point here is the fact that it says use of this software is not licensed for nuclear facilities. It’s a niche revision, of course, but this license demonstrates that it’s easy to add restrictions to a well-known license. Doing this makes the restrictions hard to detect, and some automatic license detection tools won’t pick up the issue.
- Don’t be a D*ck Public License is extremely vague with many confusing statements about what is and isn’t allowed. This type of source available license was likely written by non-legal professionals who didn’t consider the potential impact of it being used. One well known example of software using this license is node-ipc. The package has been by relicensed MIT, but the older DBAD licensed version is still available. It’s downloaded 150,000 times per week according to the NPM statistics at this time of writing.
- Business Source License. This one is interesting. It’s written to make the license “source available” only until the fourth anniversary of the specific version’s release date. At that point the software will be available under an Open Source license. This means that if you want to use the software under the Open Source license you must keep track of the release dates and make sure you don’t use versions that are too new.
Companies already struggle to manage their third-party dependencies, even without trying to keep track of release dates. With source available licensing, there’s also the issue of tracking components under multiple licenses. Knowing the different licenses might be one thing, but where do you track what option you’re using the licensed software under?
How to Reduce the Risk of Source Available Licenses
There is no surefire way to avoid integrating source-available software. Educating developers about license types is a start, of course. Companies should also use an allowlist to double-check licenses before the software is used. That said, Business Source Licenses can shift to become open source, and that complicates things.
Software Composition Analysis (SCA) is the best course of action to detect these licenses in your software products and services. FossID Workbench is a great companion if you want to mitigate the risks associated with source available licenses as it can not only detect nearly 2,000 different licenses but it can also classify them. As of today, more than 20% of the licenses in FossID’s knowledge base are classified as source available, and almost half of them have restrictions for commercial use.
So, to sum it up, don’t just care about Open Source and Proprietary and Commercial software. Make sure you understand any piece of software that is a part of your tool chain. It may sound daunting but once you do it regularly and efficiently you will be able to avoid future headaches.