Blog

DevOps Horror Stories: Software License to Kill

Oct 27 2020/DevOps/2 min read
Software License to Kill
Picture of Alan Carson
by Alan Carson
Sometimes a license is enough to lose you a customer.

The following is a true story. It doesn’t have a happy ending.

Horrors lurk beneath the trap door, for there is always something down there, in the dark, waiting to come out...

The Thing Upstairs glares across the conference table, already knowing the horrible truth, “What license does it have?”

Berk confidently replies, “GPL version 3.”

Two months prior.

Berk is an experienced software developer at a well-known consultancy firm, TrapDoor Inc. He’s worked his way up the ranks, paid his dues, and has been given his first solo project.

A customer has asked TrapDoor Inc. to architect and build a software tool. The problem specification is well-defined, but the solution design, architecture, and implementation details can all be decided by Berk.

The high-level design gets approved, and Berk gets to work. The agreement with the customer is to release often and early as they too are a software consultancy and can run tests internally and externally on their customers’ sites.

After about five weeks of development, the first alpha is released.

A week later the second.

A week after that, the third iteration is released to much fanfare. Good, steady progress is being made.

Only then does The Thing Upstairs stir and decide to code review Berk’s solution. The findings are shocking. Berk’s solution relies heavily on an open-source project with a copyleft GPL v3.0 license.

That’s bad.

Really bad.

Copyleft is the practice of granting the right to freely distribute and modify intellectual property with the requirement that the same rights be preserved in derivative works created from that property.

Berk has spent seven weeks writing logic that is attached to the original license, not fit for commercial handover, and now likely being run illegally on customer sites, without the proper license or attribution.

Worst of all, the original source code for the dependency was copied into a TrapDoor Inc. repository and modified with Berk having explicitly deleted the license file.

Little could be done without a page-one, clean-room rewrite, using a dependency with a more permissive license. But we’ll never know. This story doesn’t have a happy ending. Trust was lost. The six-figure project was canceled. The customer refused to pay.

All because Berk didn’t think licensing was important.

Get our next blog straight to your inbox