How safe is it to use (and develop) Open Source Software?

New technologies and new laws look set to make significant changes to the way Open Source Software (OSS) is developed, licensed and used.  

There have always been questions around ownership and liability in relation to OSS, but current rules and practices are outdated.  In our latest edition of Interface, we look at some of most pressing issues around using OSS today.

• AI code assistants - AI code assistants generate or auto-complete source code based on prompts (high-level descriptions of what the software should do).  Because it is easily available, much of the source code used to train the AI will be OSS.  While the output looks original and safe to use, this isn't always the case.  You need to consider what the AI has been trained on, the quality of the training materials and whether the AI has the right to use them.  This can be far from clearcut. Businesses using AI code assistants need to update their Acceptable Use Policy for using generative AI and may need to amend their OSS policy.
• Cyber security  - the use of OSS is widespread but it can be hard to identify potential vulnerabilities, particularly as businesses often don't have a full inventory of the OSS they use in their software. Developers need to implement a secure testing regime and also have to take into account incoming legislation including (in the EU), NIS2, the Cyber Resilience Act, and the revised Product Liability Directive.  As a minimum, careful documentation of the origins of the OSS and testing of all OSS code used, as well as tighter development processes will be needed.
• Product liability - under the EU's draft revised Product Liability Directive, there is a risk that there will be strict liability for individual developers of OSS in relation to their own modifications.  This could have an unintended chilling effect on the development of OSS if the draft is not amended during the legislative process.  The UK is also modernising its product liability regime but has not specifically raised the issue of OSS in its consultation on reform.  It does, however, want to understand who is responsible for safety when software is updated.
• Public sector use of OSS - the public sector has been slow to use OSS.  Adoption is, however, gaining momentum in a number of EU countries including Austria and Germany.  Public sector organisations looking to integrate OSS will need to put in place extensive developer training, strict usage policies and robust security protocols.

Find out more about the benefits and risks of using OSS and at the evolving legal framework in our Interface edition.