GPL, or General Public License, is an extensively used copyleft free and open source software license that guarantees users the freedom to run, distribute, and modify the software. Enterprises express concern over GPL because of its reciprocity - any software derived from software licensed under the GPL and released for public consumption must also be GPL-licensed, with the source code readily available. These requirements make the GPL less permissive, and more arduous, than other popular open source licenses, such as Apache Public License. Despite these conditions, a 2017 open source security audit revealed that 50% of applications scanned contained GPL. Organizations may continue to use GPL because it’s still better than the alternative - no license at all. Some software are not accompanied by any identifiable license, exacerbating the potential risks organizations face during deployment of software and/or products.
In the last 10 years, various copyright holders have enforced their rights in the GPL and LGPL licenses. These legal enforcements of open source software license violations have been particularly rampant in Germany for quite some time. The typical enforcement process in Germany is as follows: Once the copyright holder finds out somebody is violating their copyright in open source, they will send a cease and desist letter to the infringing party. This will lead to a discussion between both parties, which may then lead to either an agreement or lawsuit. If the parties decide to settle, they will sign an agreement. The agreement will typically contain a contractual penalty clause stating that if the infringing party violates the copyright holder’s rights again, they will have to pay a previously agreed-upon penalty. The purpose of including the penalty is to encourage the infringing party to take greater caution in the future. The rise of copyright trolls and the trend that court grants copyright troll injunction makes it more critical for companies to gain visibility into the open source software in their codebase.
Your organization may be in the process of evaluating potential acquisitions, meeting supply chain commitments, following customer requirements, conducting M&A due diligence, or preparing for security and compliance considerations from future buyers. Whichever the case, Insignary Clarity’s comprehensive binary scans and Bill of Materials can provide visibility into the quality and security of open source components in your organization’s codebase.