Open-Source Software (OSS) Usage
Open-Source Software (OSS) is a critical component of modern software development. However, its use comes with legal and security responsibilities. This guide provides an overview of Omnicom's standards for using OSS within the context of the Osborn project.
What is Open-Source Software?
An Open-Source license is a legal and binding contract between the author and the user of a software component, declaring that the software can be used in commercial applications under specified conditions. Without an OSS license, a software component is unusable by others, even if it is publicly posted.
Each license dictates what users are permitted to do, their obligations, and what they cannot do. The appropriate Omnicom legal team should review all Open-Source licenses to ensure they are compatible with company policies.
OSS in the Osborn Project
In the Osborn project, dependencies are managed in:
- Backend (Python):
requirements.txt - Frontend (TypeScript):
package.json
As part of our CI/CD pipeline in Bitbucket, we use Software Composition Analysis (SCA) tools to automatically scan these dependencies for two key things:
- License Compliance: To ensure we are not using libraries with licenses that conflict with our policies.
- Known Vulnerabilities: To check for security issues in the versions we are using.
A developer's pull request will be blocked if the scan detects a library with a non-compliant license or a critical/high vulnerability.
Types of Open-Source Licenses
OSS licenses are primarily divided into two categories:
1. Copyleft Licenses
A copyleft license restricts the right to use, modify, and share creative works without the copyright holder's permission. If you use a component with a copyleft license, you must also make your code open for use by others.
Example: General Public License (GPL)
2. Permissive Licenses
A permissive (or "Anything Goes") license guarantees the freedom to use, modify, and redistribute, while also permitting proprietary derivative works. These licenses place minimal restrictions on how the OSS components can be used.
Example: Apache License, MIT License
Common Open-Source Licenses and Guidance
Below is guidance on some of the most commonly used OSS licenses.
General Public License (GPL - Versions 2 and 3)
- Type: Copyleft
- Guidance: Any software written based on any GPL component must be released as Open-Source. This requires the release of the full source code and all rights to modify and distribute the entire code.
Lesser General Public License (LGPL - Version 3)
- Type: Weak Copyleft
- Guidance: Allows developers to use and integrate an LGPL-licensed component into their own (even proprietary) software without being required to release their own source code. However, any developer who modifies the LGPL-covered component itself must make their modified version available under the same LGPL license.
The Apache License Version 2.0 (Apache)
- Type: Permissive
- Guidance: You can freely use, modify, and distribute any Apache-licensed product. When redistributing, you must include a copy of the license, provide a clear attribution, and add modification notices to all modified files. You can release your modified version under any license of your choice.
Microsoft Public Licenses (Ms-PL)
- Type: Permissive
- Guidance: You can reproduce and distribute original or derivative works of software licensed under Ms-PL. You are not required to distribute the source code, but if you do, it must be under the Ms-PL. You must retain all copyright, patent, trademark, and attribution notices.
Berkeley Software Distribution (BSD)
- Type: Permissive
- Guidance: Comes in two main variants (2-Clause and 3-Clause). Both allow you to freely modify and distribute the code in source or binary format as long as you retain the copyright notice, list of conditions, and the disclaimer.
Mozilla Public License 2.0 (MPL-2.0)
- Type: Weak Copyleft
- Guidance: A simple copyleft license designed to encourage contributors to share their modifications. It fits between the Apache license and the GNU family of licenses, allowing the combination of the original code with other code under different licenses.
MIT License
- Type: Permissive
- Guidance: One of the most permissive licenses. You can do whatever you want with the software as long as you add a copy of the original MIT license and copyright notice to it.
For more information on these and other OSS licenses, please consult the Open Source Initiative website. Always check compliance against the most current requirements and restrictions.