The use of Open-source software (OSS) continues to grow. It is the leading software code used in the operating systems of the top 500 supercomputers in the world and is widely used by software developers.
With the growing influence of OSS in innovative software development projects, NASA has recently awarded $15,600,000 to fund 15 OSS projects supporting the maintenance of OSS tools, frameworks and libraries used by NASA for the benefit of all.
Due to the widespread use of OSS and no signs of its use slowing down, it is important that businesses are aware of the potential pitfalls inherent in their software. Some of the key issues for consideration with regard to using OSS are set out below.
Security
If software is underpinned by OSS, businesses may be exposed to vulnerabilities.
Due to OSS (and its source code) being freely available, hackers may be able to identify vulnerabilities in the OSS and then exploit those weaknesses for their own means, such as stealing data. This happened to Equifax in 2017 where the personal details of 143 million people were exposed due to their use of Apache Struts.
This is still a prevalent and ongoing issue. We have written a separate article on the recent backdoor attempt by hackers to insert malicious code into the OSS software XZ Utils – click HERE to view. This would likely have been one of the highest impact software supply chain breaches had it not been detected in time.
Security updates for OSS are not pushed to users as they are created. Instead, it is up to businesses and developers to stay on top of upgrades and fixes – something which will be very difficult to do if the visibility of the OSS used in the software is limited. Even if regular checks are carried out by developers, users run the risk of missing an update or just being slow to deploy the update. Hackers have also attempted to trick users into using corrupted OSS components which have a similar name to well-known OSS licences.
Publishing
If OSS is included in software, depending on the particular licence terms, there may be a requirement to publish the source code for the software as a whole, free of charge. This principle applies to all so-called ‘restrictive’ OSS licences such as the GNU GPL. Businesses should seek confirmation from software developers that no restrictive OSS is incorporated in their software.
Integrating multiple OSS packages can lead to conflicts if they have incompatible licenses. For example, one licence may require disclosure of source code for derivative works, while another may not permit sublicensing, leading to potential violations.
Intellectual property rights
Many OSS licences are made available without any warranties or guarantees as to intellectual property rights. This means that the OSS could infringe intellectual property rights owned by third parties. If infringing material contained in the OSS is combined with software, a business may find itself facing a claim for infringement of third party intellectual property rights.
As the OSS is proprietary to the OSS developer, the OSS developer has the right to vary the terms of the licence at any time. If it does this, it could create an issue with the intended use of the software. This change could be without notice and would not give the users developers an opportunity to notice, review or approve such changes.
Support
Many OSS providers do not offer a dedicated support service which can cause issues if a fix is required.
Members of the community contributing to the code base may decide to create new versions of the OSS and stop providing support for older versions. If an older version of the OSS is used to underpin modified software, businesses may suffer reliability and robustness issues if the older OSS ceases to be maintained.
If you have an enquiry about OSS, please do not hesitate to get in touch with your main contact or Jack Shreeve direct.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at November 2024.