Okay, for those of you who were looking for an actual game, I’m sorry; there isn’t one.  But for those of you who use or want to use open source software (OSS), it may feel like the author of the software was playing a joke on you.  Here’s a question for you:

How many licenses are involved with a typical OSS component?

We usually think that it has just one license.  Sometimes that’s true, but in the world of OSS, it is rarely the case.  Think about it.  If you were building a piece of software, would you rather grab some components off the shelf and create as few as possible?  Of course you would!  The same is true for OSS developers.  The practice of using some OSS components and building others commonly results in any piece of packaged OSS software being comprised of many smaller components – each with its own license.  This can mean that instead of one license, you can potentially be dealing with 10 licenses or 100 licenses.  The most I’ve ever seen is just under 1,000 OSS licensed components in one software package.

Still, this may not be a problem.  The question to ask is, how much diligence did the OSS developers conduct when selecting each of these off-the-shelf components?  Major OSS software foundations, such as The Apache Software Foundation, perform significant due diligence and assess each license for compatibility with the rest of their licenses.  At times, these foundations choose to build a component from scratch rather than using an existing OSS component in order to control the licenses.  This makes selecting software from The Apache Software Foundation an easier decision for most businesses.  While your company still conducts its legal review and analyzes the complete license makeup of the software package, you have confidence that Apache has also done significant work.

How do you determine your risk exposure for each OSS component?  To do this reliably, you need a process to introduce OSS and track both the licenses and where OSS is used.  One such solution is described in my book, Open Source Software: Implementing a Successful OSS Management Practice, available on Amazon.  Another great source is SilverStream Consulting.

—Jeff Brown, SilverStream Consulting