Creating a Comprehensive 3rd-Party Package Licensing Policy

Last November, I attended FINOS’s Open Source Strategy Forum in London. It was a terrific opportunity to meet people in the fintech space and to get a sense for how companies large and small in this industry were thinking about open source compliance and the overall open source value proposition for their companies. After the conference, FINOS’s General Counsel & Director of Governance, Aaron Williamson, kindly invited me to present to FINOS’s Open Source Readiness (OSR) Working Group.

The OSR Working Group hosts a regular speaker series, of which my presentation was but one of many. If you’re in the fintech space, I highly recommend checking it out. Even if you’re not in the fintech space, many of the presentations and resources they have available are useful across many industries.

My presentation focused on creating a comprehensive third party package licensing policy. This is often one of the first things my clients ask me to create for them and creating one is often a major hurdle for companies who otherwise have the tools and desire to jump-start the open source compliance process, but aren’t sure about the legal implications of the various open source licenses and quasi-open source licenses out there. This presentation gives an inside view as to how lawyers go about creating such policies and the types of concerns they often address.

The presentation was recorded and posted to YouTube here.

You can also download the slides here. I recommend downloading the slides and viewing them via PowerPoint because Google Slides preview will strip out a lot of the nice pictures and formatting.


Open Source Holiday Wishes

Holidays are all about wish lists, so I’ll share some of mine based on a few matters I recently handled. This fall, I worked with a Series D funded technology company to donate a major product to an open source foundation and separately I worked with a small technology company looking to open source their first product. As an open source proponent, with so much of my work focused on compliance, projects like these are always a happy change of pace.

One of the key takeaways for me, though, was the extremely high variability in the amount of guidance various foundations and similar groups offer with respect to the entities contributing to them. My wish would be greater upfront transparency with matters such as license compatibility. Some groups make this fairly easy and have not only extensive license compatibility lists, but also some information explaining those decisions. Other groups, even those who are license stewards themselves, offer scant guidance or nothing more than email archives. It’s a shame because small companies that can’t afford private legal guidance will opt for licensing schemes that offer more, even if that licensing scheme may be less than ideal for their purposes.

For foundations that are not themselves license stewards, my wish would be that they were transparent about whether they were going to follow the license compatibility guidance issued by license stewards such as the Apache Foundation. And, if they are going to deviate from such guidance, it would be extremely useful for them to be transparent in their decision-making for the benefit of their contributors, and the license compatibility discussion throughout the free and open source community. Many of these foundations encounter fascinating corner cases that could serve as templates for others facing similar decisions. The more uniformity and predictability in these issues, one way or another, the lower the ambiguity and the lower the cost of complying for everybody involved.

My work reminded me of the 2016 debate regarding the compatibility of the Common Development and Distribution License and the GNU General Public License v2 over the inclusion of ZFS in Debian. As a free and open source practitioner, the very public nature of that debate was extremely helpful in navigating these waters and has given everyone a solid footing from which to approach these issues. I would encourage more groups to practice the open source approach, not just with respect to code, but with respect to policy, too.

The image above, “Open Source Prescription,”​ is by and is licensed under CC BY-SA 2.0.