Open-Source License Compliance in Software Supply Chains

  • Dirk RiehleEmail author
  • Nikolay Harutyunyan


Almost all software products today include open-source components. However, the obligations that open-source licenses put on their users can be difficult or undesirable to comply with [14, 20, 25]. As a consequence, software vendors and related companies need to govern the process by which open-source components are included in their products [7, 21]. A key process of such open-source governance is license clearance, that is, the process by which a company decides whether a particular component’s license is acceptable for use in its products [4, 15, 19]. In this article, we discuss this process, review the challenges it poses to software vendors, and provide unanswered research questions that result from it.



We would like to thank our colleagues Daniel German and Matti Rossi for the discussions and collaboration at the 2017 workshop on FLOSS ecosystems at Shonan Village, Japan. We also would like to thank Maximilian Capraro, Shane Coughlan, Michael Dorner, Monika Schnizer, and Axel Teichert for their feedback on this article.


  1. 1.
    B.W. Carver, Share and share alike: understanding and enforcing open source and free software licenses. Berkeley Technol. Law J. 443–481 (2005)Google Scholar
  2. 2.
    B. Fitzgerald, The transformation of open source software. MIS Q. 587–598 (2006)CrossRefGoogle Scholar
  3. 3.
    Free Software Foundation (2007). GNU General Public License: Version 3, 2007, at
  4. 4.
    D. German, M. Di Penta, A method for open source license compliance of java applications. IEEE Softw. 29(3), 58–63 (2012)CrossRefGoogle Scholar
  5. 5.
    D.M. German, A.E. Hassan, License integration patterns: addressing license mismatches in component-based development. in Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society (2009), pp. 188–198Google Scholar
  6. 6.
    GitHub (2017). Open source guides at
  7. 7.
    I. Haddad, Open Source Compliance in the Enterprise (The Linux Foundation, San Francisco, 2016)Google Scholar
  8. 8.
    M. Helmreich, D. Riehle, Geschäftsrisiken und Governance von Open-Source in Softwareprodukten, in Praxis der Wirtschaftsinformatik (HMD 283), 49. Jahrgang (2012), pp. 17–25Google Scholar
  9. 9.
    A. Hemel, S. Coughlan, Practical GPL Compliance (Linux Foundation, San Francisco, 2017), pp. 43–47Google Scholar
  10. 10.
    J. Henkel, Open source software from commercial firms–tools, complements, and collective invention. Z. Für Betr.Swirtschaft 4, 1–23 (2004)Google Scholar
  11. 11.
    Hewlett-Packard Development Company L.P. (2007). Best practices in open source governance. White paperGoogle Scholar
  12. 12.
    C. Jensen, W. Scacchi, Governance in open source software development projects: a comparative multi-level analysis. Open Source Software: New Horizons (2010) pp. 130–142Google Scholar
  13. 13.
    D.M. Kennedy, A primer on open source licensing legal issues: copyright, copyleft and copyfuture. Louis Univ. Public Law Rev. 20, 345 (2001)Google Scholar
  14. 14.
    A.M.S. Laurent, Understanding Open Source and Free Software Licensing: Guide to Navigating Licensing Issues in Existing & New Software. (O’Reilly Media Inc, Sebastopol, 2004)Google Scholar
  15. 15.
    C. Link, Patterns for the commercial use of open source: legal and licensing aspects, in Proceedings of the 15th European Conference on Pattern Languages of Programs, ACM, (2010), p. 7Google Scholar
  16. 16.
    Linux Foundation (2017). The open chain project at
  17. 17.
    R.J. Mann, The commercialization of open source software: do property rights still matter?. The University of Texas School of Law. Law and Economics Research Paper No. 58 (2005)Google Scholar
  18. 18.
    D. McGowan, Legal implications of open-source software. U. Ill. L. Rev. 241 (2001)Google Scholar
  19. 19.
    H.J. Meeker, Open (Source) for Business: A Practical Guide to Open Source Software Licensing, 2nd ed. (CreateSpace Independent Publishing Platform, Scotts Valley, 2017)Google Scholar
  20. 20.
    H.J. Meeker, The open source alternative: understanding risks and leveraging opportunities. (Wiley, New York, 2008)Google Scholar
  21. 21.
    C.H. Nadan, Open source licensing: virus or virtue. Tex. Intellect. Prop. Law J. 10, 349 (2001)Google Scholar
  22. 22.
    H.E. Pearson, Open source licenses: Open source—the death of proprietary systems?. Comput. Law Secur. Rev. 16(3), 151–156 (2000)Google Scholar
  23. 23.
    D. Riehle, The commercial open source business model. Value Creation in E-Business Management (2009), pp. 18–30Google Scholar
  24. 24.
    D. Riehle, The economic motivation of open source software: stakeholder perspectives. Computer 40(4) (2007)CrossRefGoogle Scholar
  25. 25.
    C. Ruffin, C. Ebert, Using open source software in product development: a primer. IEEE Softw. 21(1), 82–86 (2004)CrossRefGoogle Scholar
  26. 26.
    H. Schöttle, U. Steger, Managing open source software in the corporate environment. Comput. Law Rev. Int. 16(1), 1–7 (2015)CrossRefGoogle Scholar
  27. 27.
    K. Stewart, P. Odence, E. Rockett, Software package data exchange (SPDX) specification. Int. Free. Open Source Softw. Law Rev. 2(2), 191–196 (2011)CrossRefGoogle Scholar
  28. 28.
    S. Zhu, Patent rights under FOSS licensing schemes. Shidler J. Law Commer. Technol. 4, 4–13 (2007)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Friedrich-Alexander Universität Erlangen-NürnbergErlangenGermany

Personalised recommendations