PullRequest Blog

Lyal Avery headshot
By Lyal Avery

August 9, 2018

Using FOSSA for License Compliance

Technical leaders are often caught by surprise during diligence on a round or exit: the list of asks is long, daunting, and seemingly designed to slow down the process. There’s one diligence ask that I have seen derail rounds and exits that’s not nearly as hard to manage as it may seem… the developer tool FOSSA

Projects are usually littered with code from many sources. From importing via package manager to copy and pasted from Stack Overflow (a very risky practice, as establishing a chain of ownership is nearly impossible), developers add dependencies in a variety of ways.

For an acquirer or a venture capitalist, this is problematic. As an example: Facebook’s original license for React included a reasonable IP assignment that could theoretically prevent a company for suing Facebook for anything related to patents (they have since re-licensed it to MIT). For a startup, this is a fair trade off: the likelihood of ever engaging with Facebook on a legal scale is low, while the velocity gained from using React is high.

Even items like packages licensed with certain GPL versions means an unacceptable risk for corporate compliance teams.

Historically, this meant all-hands going through the code base, refactoring where code authorship can’t be established, or hiring an external consulting firm to do it for a substantial amount of money. Over my last exit (and our Series A financing here at PullRequest), I found a better approach with much less friction.