M AND A AND COMPLIANCE

Open source audit risk from distribution.

Open source audit risk from distribution is the exposure that wakes up the moment you ship or host software. Many license obligations stay dormant during internal use and activate at distribution. This article explains where that line sits, why it matters most in shipped and hosted products, and how a buyer contains it.

Most open source obligations are conditional. They depend on what you do with the software, not merely that you use it. The central condition for many licenses is distribution. Run a copyleft component on an internal server and you usually owe little. Put the same component inside a product you ship, or a service you host, and the obligation can switch on. Open source audit risk from distribution is the name for that switch, and it is where compliance findings concentrate.

Why distribution is the trigger

Copyleft licenses are built around reciprocity at the point the software changes hands. The GNU GPL requires that when you distribute a derivative work, recipients receive the same freedoms, including access to the corresponding source. Internal use generally does not count as distribution, which is why the obligation can sit quiet for years. The plain meaning of distribution, the threshold at which the obligation activates, is set out in the glossary entry on what distribution means. The mechanics of the copyleft obligation itself are covered in copyleft distribution obligations explained.

The service gap and the AGPL

For a long time, offering software as a service avoided the distribution trigger entirely. A provider could run GPL software behind an interface, never hand out a binary, and never owe the source. The GNU AGPL was written to close that gap. It treats offering the software over a network as a distribution like event, which means a hosted service can carry the same source disclosure obligation as a shipped product. For any business that operates a software as a service product, the difference between a GPL and an AGPL dependency is the difference between a dormant condition and a live one. The deployment model, not just the license name, decides the exposure.

Source available terms add a second layer

Distribution risk is not limited to copyleft. Source available licenses add restrictions that can bite regardless of whether you distribute, and they bite harder when you build a product on top. The Business Source License restricts competitive production use and converts to an open license after a delay, commonly four years. As of August 2023 HashiCorp moved Terraform, Vault, Consul, Nomad and Packer to the Business Source License 1.1. The Server Side Public License carries a strong service condition aimed at parties who offer the software to others. As of March 2024 Redis moved to a model that includes the Server Side Public License, with the fork Valkey, and Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License in 2021, with the fork OpenSearch. A product that embeds or offers one of these inherits its restrictions on top of any copyleft exposure.

Why this matters in a deal

A target that ships or hosts software has already crossed the distribution line. Its open source obligations are live and visible to customers, auditors, and the vendors whose components it relies on. An acquirer inherits both the obligation and the history. If past releases were distributed without satisfying a copyleft condition, the exposure does not reset at close. This is why distribution profile belongs in diligence. A company that only uses open source internally carries a different risk shape from one that embeds the same components in a shipped product. The way this exposure feeds the price is covered in open source risk and deal valuation.

How to contain distribution risk

Containment starts with knowing what you distribute and under what terms. Map every component in each shipped or hosted product, including transitive dependencies and container layers, and record the license of each. Flag copyleft and source available components separately, because they need different handling. Decide in advance how each is treated at release, and wire that decision into the release process so a problem is caught before the artifact leaves the building. For products already in the field, assess the back catalog as well as the current release. The discipline that supports this for delivered software is set out in open source compliance for shipped products, and when a claim does arrive, defending an open source compliance claim describes how a clean record turns an open ended inquiry into a bounded one. The full program sits under the M and A and compliance pillar, and a buyer side open source M and A due diligence engagement runs the distribution review end to end.

COMMON QUESTIONS

Questions buyers ask.

CONTAINMENT

Know what you distribute and under which terms.

A confidential open source M and A due diligence review. Independent, buyer side, paid only by you.

Not ready to talk? Read the free open source license risk guides first.