The SaaS developer’s uber-short guide to using Open Source projects
Using open source projects in a SaaS offering is extremely common, yet many developers don’t really understand what that means to the company or to their code. Taking the time to read a variety of licenses will give you the confidence you need to use the right license and to know your legal, technical and financial obligations.
Yes, you’ll have legal, technical and financial obligations.
Lemme help you out with all of the above, based on my experiences building at Airstory.
Before we begin…
If you are a busy developer — and who isn’t? — then you can always search online to try and get a brief summary for each type of license. What you will often find is this: license summaries start with disclaimers such as “I am not a lawyer” or “perhaps you should not trust me.” So, let me start with this: I am not a lawyer. I don’t even play one on TV. If you want to make sure you are in the clear, talk to somebody who will go to court with you. I will not.
With that said, open source projects are, by and large, a good thing. Many SaaS offerings could only get to where they are thanks to the hard work put into open source projects. (So make sure you give back where you can, even if you are not obligated to do so!)
How I got into reading license agreements.
I recently started using a library that that had four different licenses. Three of them were open source and the fourth was a commercial license. I was all set to purchase one of the commercial licenses when I stopped at the last moment to do the unthinkable.
I actually read the license agreement linked to the checkbox that said: “I have read the license agreement.”
In this license agreement, I came across a section I found very interesting. Essentially it said, “This license doesn’t cover SaaS solutions.” For that, I would need an Enterprise license.
I was dumbfounded.
They had multiple tiers of commercial licenses ranging from $500 to $1,000. And the one they said I needed had a “Contact Us” message instead of a price. (Never a good sign for a startup.) To make matters worse, I was just a few days away from a deadline to push some major code changes to production, and the library was already in place. It would take weeks to remove this library and replace it with something else.
So we did what anyself-respecting developer with a deadline looming would do: we scheduled a call with a sales person to pay an unknown amount of money. Just so I could hit my deadline.
(Not a happy moment for me.)
That’s when I decided to spend the weekend reading licensing agreements. As you can imagine, my wife was thrilled.
I actually found it interesting when my brain finally started to understand legalese . A part of me wants to dig into this (lemme know if you’d like me to in a future post), but for now I’ll spare you the boring details.
Here’s the most interesting thing I learned: open source licenses cover code that you distribute. If you are not distributing the code, you don’t have to worry about it.
The challenge comes down to understanding what does distribute mean? Well, that depends on your license.
What is considered “distributing”?
With all the licenses I read, you can do whatever you want with the code without having to give it back, as long as you use it internally within your company. As a contractor, you can even be paid to make changes to the code as long as the changes are only used by the company for whom you are making the changes. In this case, and for all licenses, as long as the code is used internally, nothing is distributed.
However, AGPL (Affero GNU Public License) and GPL (GNU Public License) both consider the Javascript that is sent to the browser as “distributing” their code — and so everything in their agreement will kick in. This means if you are using a GPL library as part of the Javascript that is sent to your users, you may have to open source all of your client-side Javascript code. These were the only licenses I came across that considered client side Javascript as “distributing.”
If the code is running on your servers, where only the result of the code is sent to the client over a network, then most licenses do not consider this distributing the code. For example, if you are using an image processing library on your server that is licensed under GPL, you could make any changes you want to that open source code without having to contribute your changes back.
Notice I said, “most licenses.”
The only exception I found to this was the AGPL, which has language that states if you use an AGPL library to drive a networked service, then the code that works with the AGPL has to be open sourced as well. Talk about viral!
A very brief overview of the licenses I researched.
- BSD / MIT License is very permissive and will allow you to do whatever you want without having to contribute your code back.
- AGPL and GPL are both “viral” licenses. If you call even a single method from a library covered under one of these in your distributed code, your code may need to be open sourced.
- LGPL (Lesser GNU Public License) is more lenient than GPL. It is often referred to as the Library GPL. It allows you to call a library covered by LGPL without having to open source your code. You only have to contribute back if you add to that library.
- MPL (Mozilla Public License) is a little more lenient than LGPL as it only covers the files to which the license is applied. If you create a new file, even if it is used by the library, this is not covered (where with LGPL it would be).
So what should you do?
Look for solutions that are covered by either BSD or MIT. You have absolutely no worries with these licenses. If you are a SaaS, using libraries covered under the MPL and LGPL are safe anywhere in your codebase.
Stay away from GPL for Javascript that is sent to the browser. Server side GPL is safe.
Stay as far away from AGPL as you possibly can — nothing good can come from using it.
In my case, the project that started all this research has MPL as one of its licenses. For my needs, that license was permissive enough to go ahead with the release, and I was able to hit my deadline.
