Copyleft is a term used primarily when discussing licensing for Open Source Code usage. It is a method for making a program, code, or another piece of work free as well as any subsequent versions or modifications to that program. Software licensing creates many questions and debates - and one of the biggest ones is copyleft entitlement.
In order to understand copyleft and what it may mean for software development, it is important to break down the term:
Before understanding copyleft, developers and IT leaders must understand copyright. Copyright and copyleft fall under the same legal framework, meaning they have many of the same rules and regulations. The definition of copyright depends on the industry, but the generalized definition from Merriam Webster states: “the exclusive legal right to reproduce, publish, sell, or distribute the matter and form of something.” In software development, the matter and form is the code used in a piece of software and the final program.
Copyright automatically attaches to a work without registration. No one can take copywritten code and republish, perform, or modify it without permission from the developer or company. This permission is a "license" and may come with certain conditions attached, such as attribution.
As the use of open-source software increases, many open source licenses use copyleft. All open-source licenses must allow distribution in some way - meaning anyone who receives open-source software can inspect and/or alter the code. Copyleft licenses differ in that they require the same rights (the rights to inspect or modify the code) to all works that use the attached piece of code.
The GNU Project states that: "the rule that when redistributing the program, you cannot add restrictions to deny other people the central freedoms [of free software]." As the GNU General Public License is the most commonly used copyleft license, this is a requirement most developers will face at some point.
Copyleft exists at all levels of licensing. As explained, using open-source code with a copyleft license attached means that downstream projects cannot add more restrictions to the use of the software. If a company were to develop a program using open source components with copyleft licenses and distributed that program, anyone would have the freedom to use and modify it. The company can change it, but those changes would then have to be made public.
The problem with copyleft licensing should be clear: anyone can copy and use the program without permission and without attribution. It is considered to be best practices to offer attribution, but it is less common now than it ever was. In essence, software developed using open-source with copyleft code can become a derivative of that copyleft open-source software. If that happens, it has to be relicensed under the same exact terms as the open-source license, which will reduce the control that an enterprise has over their own software under many intellectual property laws. One of the biggest rights lost may be the ability to charge money or distribute that software.
The first step to managing copyleft license risks is to use an SCA solution to automate the process of identifying the software components and potential copyleft licensing risks. The ideal solution should include the following core capabilities:
To find out more information about managing OSS licensing risks with CAST’s Software Composition Analysis dashboard, sign up for a free demo.