At least with Stack Overflow, you know what you are dealing with. We also see code snippets from sites with a complete lack of terms of service or no mention of software terms. Acquirers or sellers preparing for M&A have to decide what to do (or not do) about such content in the software that is part of the deal. Our clients are by nature conservative in such matters, and most simply don’t want license issues in their code. But how to address each specific case is a calculation based on risk, importance of the function of the risky code, and the work required for remediation.
In the scenario at hand, we are typically not talking about a lot of code. Content copied and pasted from a blog is likely going to be 20 or 30 lines of code. As a consequence, rewriting is certainly an option to be considered. Having a developer rewrite a function “in a clean room,” i.e., without referencing the copied code, will often take less time than debating the issue.
When remediation would be more involved, some research and debate—and perhaps a legal opinion—is called for. Where exactly did the code come from? Who owns the copyright? Would they care? Would they come after us? One potentially easy solution is to get the copyright holder’s permission. In the case of Stack Overflow, the contributor has granted broad rights to the site but retained copyright themselves, so they’re in a position to do what they want. A friendly developer may be happy to have their code used, and the whole matter could be resolved with a short email exchange. “Yo, OK if we use this under the MIT license?” “Sure.” Matter closed. Again though, you need to make sure that “Yo” is the copyright holder and can therefore grant license to you.
But come on, will anyone ever know? That’s a tough one, and mostly between you, your corporate conscience, and your attorneys. If we were auditing your divestiture, we’d find it. A disgruntled employee might rat you out—it’s happened. But maybe you are planning to rewrite that part of the code in the next release, so….
Most companies, particularly those in software, strive to respect the rights of software copyright holders. Do unto others. In doing so they also eliminate that legal risk, but what to do in a particular case with a particular problematic snippet is always an interesting discussion. Just make sure you are having the discussion.
Minimize open source, legal, security, and quality risks for M&A due diligence or internal reporting with Black Duck® Audits.