Should I care about license compliance of container base images?

I just received the following question: “We ship our software application as a container image built on a base image. Surely we don’t have to worry about open source license compliance of the base image, do we?” My answer is: “Of course you have to worry.” Let me explain this step by step.

If you distribute open source code, in whatever form (binary, modified binary, source code) you should comply with the licenses. If you don’t comply you may first receive a complaint and later get sued. From a business perspective, you need to weigh the risk of discovery with the cost of license compliance. In most situations, you should comply with the licenses of all the open source code you are shipping, including whatever is part of that base image you are building on.

License compliance can be a lot of work (hence our SCA services). You first need to take stock of what code you are shipping (by creating a software bill of materials, i.e. the SBOM) and then follow the licenses of that code, for example, by creating correct legal notices. If you get the base image from a supplier, that supplier ideally already provides an SBOM and legal notices that you can just pass on. If not (e.g. you are using an open source base image like Alpine) you have to do it yourself. If you don’t trust your supplier, you should do it yourself anyway.

Is it a lot of work? Yes. Is it pointless work? Not according to the open source programmers. Should your suppliers do it? Absolutely. Why don’t they? Well… are you paying them for the work?


Our seminar on license compliant delivery of products that contain open source code teaches you how to streamline license compliance workflows.

Subscription

Free weekly industry insights from the world of open source, in three paragraphs or less. Most Tuesdays, always 4pm CET, by Prof. Riehle.

Join 8 other subscribers

Related posts