Some of the less common (but more interesting) licenses include Beerware—which allows a user to use the software how they like, but if they ever come across the author they are recommended to buy them a beer; Do What the F*** you want Public License (WTFPL)—which means basically what it says; and the VoidSpace license—which states the author is not responsible for damages that may occur.
The Software Package Data Exchange
The Linux Foundation created the Software Package Data Exchange (SPDX) specification to provide a bill of materials about license information and components included in open-source code.
“Our philosophy here is we want to make the sharing of software not only in the development process, but in the consumption and redistribution of that software as simple and plain as possible,” said Linux’s Zemlin.
The SPDX was designed to provide organizations a way to see how open-source software relates to other open-source code, what versions of software were used in open-source code, the license and version of that license the software belongs to, and if there are any vulnerabilities that need to be addressed. Zemlin said the specification is still in a mid-adoption phase, but as more open-source software is used throughout almost every aspect of IT, it will become the standard way for sharing open-source data.
“SPDX has great potential to act as a common interchange format for licensing information on open-source software,” said the OSI board of directors. “It is still a work in progress, with the latest version of the specification just released [in May].”
The SPDX specification process operates similar to an open-source community. Developers, distributors and providers can contribute SPDX files for their open-source projects.
Tools to help you comply
When given a choice to code or worry about compliance, developers will choose to code, according to Black Duck’s Weinberg. Having to manually ensure compliance can be a daunting task and potentially take several hours every week. Tools can help automate the process of compliance, but it’s important to keep in mind that they can’t guarantee compliance.
“Tools themselves cannot ensure compliance, but they can aid organizations in understanding how they are using open source (and other software), and what the organizations need to do to remain in compliance with open-source licenses,” said the OSI board of directors.
A good set of scanning tools is important to help organizations understand exactly how much open-source code they are using in their product and if the code contains any licenses that are incompatible with one another. “If you have an organization that 100% tracks everything that comes into their organization, they still miss open source and open-source licenses because fundamentally open source uses open source,” said Rogue Wave’s McLoughlin.