What Prevents Companies From Open Sourcing Their Codebase?


Recently in the news: Yet another company caught using GPL libraries and requested to publish their source code.

Let’s cover why companies won’t open source their codebase, no matter how hard the world may insist.

Corollary: That’s also why many companies have a blanket ban on using GPL libraries, because using GPL libraries would require to open their codebase. which they can’t.

Sensitive Information

There are too many “secrets” in a company’s source code, that may harm the company, affect its reputation and expose it to lawsuits.

What to search for in a typical repo?

  • Passwords and API keys
  • TLS certificates
  • GPL libraries, and more broadly unlicensed and copy/pasted code
  • commercial libraries, integrated a while ago and didn’t pay the license or forgot to renew
  • patented code and algorithms, opening the firm to US lawsuit (Note: software parents are not recognized in Europe)
  • copyrighted or trademarked content (icons, pictures, etc…)
  • sensitive algorithms (credit score, trading algorithms)
  • fraud detection mechanisms, better kept private
  • “inappropriate” comments, text and code
  • security vulnerabilities

In an ideal world, developers don’t store secrets in the repo and don’t save proprietary icon sets from the internet. In a practical world, I’ve never seen a company where half of the above doesn’t happen.

I am guilty of it myself. One day, the company I did a summer internship with forever ago will realize the development machine has been running Visual Studio Premium, activated with a student key edition not meant for commercial use. ^^

There is so much to verify and cleanup before opening a repo. That makes it incredibly difficult to publish any large or older project, that was not intended to be open source from the start.

Even with the best of intention (and resources and budget), the odds are very high that something wrong comes up and kills the publishing effort.

And there is no upside to open source for internal software. It doesn’t make the company more money or more sales, it only opens the company to future backslash and litigation. Litigation being an existential threat for US companies, where any lawsuit around license/patents/copyright can incur unlimited legal fees and damages.