We are integrating a system with a vendor's cloud-based Web application. They do not distribute the source code. We are interested in knowing what open source components they use. If we ask them, can they refuse to say without breaking the terms of licenses where attribution is required?
2
-
2You say the vendor doesn't give you the source code. Do they give you binaries, or are you integrating your system with something they host and run on their (or some third-party's) servers?MadHatter– MadHatter ♦2025-06-26 10:25:06 +00:00Commented Jun 26 at 10:25
-
I'm not certain. I believe they host it or use AWS. I don't think they provide the binaries. I can inquire, if that would be a factor and they don't want to provide the info.Peter Dongan– Peter Dongan2025-06-26 11:20:54 +00:00Commented Jun 26 at 11:20
Add a comment
|
1 Answer
The thing that would help you accomplish your goal is called a software bill-of-materials (SBOM), which is used to document the software supply chain. However, your vendor may not produce an SBOM, and depending on the agreements, may not have to share it with you. It could be worth asking, though. And, depending on the criticality of the third-party products and services, consider the availability of SBOMs during vendor assessment and in any agreements with the vendor.
Regarding attribution of open-source components, this depends on the license. For example, consider the MIT license. The copyright and permission notice "shall be included in all copies or substantial portions of the Software". Allowing people to access the software over a network does not necessarily constitute a copy or a substantial portion, so there may be no need to provide the notices to users. The license of the open-source components they use would dictate whether they are required to attribute the use of the component or not. Even if required by the license, only the owner can take action to protect their work.
