Embed Size (px)
Citation preview
These slides do not contain legal advice
CURRICULUMFOSSTrainingReferenceDeck,Version2FINALDRAFTDesignedfortheOpenChainSpecification1.0
ReleasedundertheCreativeCommonsCC01.0Universal license.
TheseslidesfollowUSlaw.Differentlegaljurisdictionsmayhavedifferentlegalrequirements.Thisshouldbetakenintoaccountwhenusingtheseslidesaspartofacompliancetrainingprogram.
Contents1. What is Intellectual Property?2. Introduction to FOSS
Licenses3. Introduction to FOSS
Compliance4. Key Software Concepts for
FOSS Review
5. Running a FOSS Review6. End to End Compliance
Management (Example Process)
7. Avoiding Compliance Pitfalls
FOSS Policy• <<placeholder slide to identify where the FOSS policy can be found
(OpenChain Specification 1.0, section 1.1.1)>>
CHAPTER 1What is Intellectual Property?
What is “Intellectual Property”?• Copyright: protects original works of authorship
• Protects expression (not the underlying idea) • Software, books, audiovisual materials, semiconductor masks
• Patents: useful inventions that are novel, useful, non-obvious • Limited monopoly to incentivize innovation
• Trade secrets: protects confidential and valuable information• Trademarks: protects marks (word, logos, slogans, color, etc.) that identify the
source of the product• Consumer and brand protection; avoid consumer confusion and brand dilution
This chapter will focus on copyright and patents, the areas most relevant to FOSS compliance
Copyright concepts in software• Basic rule = copyright protects creative works• Copyright generally applies to literary works, such as books, movies,
pictures, music, maps• Software is protected by copyright, not the functionality (that’s protected by
patents) but the expression (creativity in implementation details)• The copyright owner only has control over the work that he or she created,
not someone else’s independent creation
Copyright rights most relevant to software• The right to reproduce the software – making copies• The right to create "derivative works" – making modifications
• Thetermderivativeworkreferstoanewworkbaseduponanoriginalworktowhichenoughoriginalcreativeworkhasbeenaddedsothatthenewworkrepresentsanoriginalworkofauthorshipratherthanacopy(notethatthisisatermofartunderUSlaw)
• The right to distribute• Distributionisgenerallyviewedastheprovisionofacopyofapieceofsoftwareinbinaryorsourcecodeformtoanotherentity(anindividualororganizationoutsideyourcompanyororganization)
Note:Theinterpretationofwhatconstitutesa“derivativework”ora“distribution”issubjecttodebateintheFOSScommunityandwithinFOSSlegalcircles
Patent concepts in software• Patents protect functionality - this can include a method of operation, such as
a computer program• Does not protect abstract ideas, laws of nature
• The patent owner has the right to stop anybody from exercising that functionality, regardless of independent creation
• Other parties who want to use the technology may seek a patent license (which may grant rights to use, make, have made, sell, offer for sale, and import the technology)
Licenses• A "license" is the way a copyright or patent holder gives permission or
rights to someone else• The license can be limited to:
• Types of use allowed (distribution, derivative works / to make, have made, manufacture)• Exclusive or non-exclusive terms• Geographical scope• Perpetual or time limited duration
• The license can have conditions on the grants, meaning you only get the license if you comply with certain obligations• E.g, provide attribution, give a reciprocal license
• May also include contractual terms regarding warranties, indemnification, support, upgrade, maintenance
Check Your Understanding• Whattypeofmaterialdoescopyrightlawprotect?• Whatcopyrightrightsaremostimportantforsoftware?• Cansoftwarebesubjecttoapatent?• Whatrightsdoesapatentgivetothepatentowner?• Ifyouindependentlydevelopyourownsoftware,isitpossiblethatyoumightneedacopyrightlicensefromathirdpartyforthatsoftware?Apatentlicense?
CHAPTER2IntroductiontoFOSSLicenses
FOSSLicenses• FreeandFOSS Softwarelicensesgenerallymakesourcecodeavailableundertermsthatallowformodificationandredistribution
• FOSSlicensesmayhaveconditionsrelatedtoprovidingattributions,copyrightstatementpreservation,orawrittenoffertomakethesourcecodeavailable
• OnepopularsetoflicensesarethoseapprovedbytheFOSS Initiative(OSI)basedontheirFOSS Definition(OSD).AcompletelistofOSI-approvedlicensesisavailableathttp://www.opensource.org/licenses/
PermissiveFOSSLicenses• PermissiveFOSSlicense- atermusedoftentodescribeminimallyrestrictiveFOSSlicenses
• Example:BSD-3-Clause• TheBSDlicenseisanexampleofapermissive licensethatallowsunlimitedredistributionforanypurposeaslongasitscopyrightnoticesandthelicense'sdisclaimersofwarrantyaremaintained
• Thelicensecontainsaclauserestrictinguseofthenamesofcontributorsforendorsementofaderivedworkwithoutspecificpermission
• Otherexamples:MIT,Apache-2.0
LicenseReciprocity&CopyleftLicenses• Somelicensesrequirethedistributionofderivativeworks(orsoftwareinthesamefile,sameprogramorotherboundary)underthesametermsastheoriginalwork
• Thisisreferredtoasa”Copyleft","reciprocal",or"hereditary"effect• ExampleoflicensereciprocityfromtheGPLversion2.0:
"Youmustcauseanyworkthatyoudistributeorpublish,thatinwholeorinpartcontainsorisderivedfromtheProgramoranypartthereof,tobelicensed...underthetermsofthisLicense."
• LicensesthatincludereciprocityorCopyleftclausesincludeallversionsoftheGPL,LGPL,AGPL,MPLandCDDL
• Copyleftlicensesmayincludesourceavailabilityobligations
ProprietaryLicenseorClosedSource• Aproprietarysoftwarelicense(orcommerciallicenseorEULA)hasrestrictionsontheusage,modificationordistributionofthesoftware
• Proprietarylicensesofteninvolvepaymentoralicensefee• Proprietarylicensesareuniquetoeachvendor- thereareasmanyvariationsofproprietarylicensesastherearevendorsandeachmustbeevaluatedindividually
• FOSSdevelopersoftenusetheterm"proprietary"todescribeacommercialnon-FOSSlicenseeventhoughbothFOSSandproprietarylicensesarebasedonintellectualpropertyandprovidealicensegranttothatproperty
OtherLicensingSituations• Freeware- softwaredistributedunderaproprietarylicenseatnoorverylowcost
• Thesourcecodemayormaynotbeavailable,andcreationofderivativeworksisusuallyrestricted• Freewaresoftwareisusuallyfully functional (no lockedfeatures)andavailableforunlimiteduse(nolockingondaysofusage)
• Freewaresoftwarelicensesusuallyimposerestrictionsinrelationtocopying, distributing, andmakingderivativeworksofthesoftware,aswellasrestrictionsonthetypeofusage(personal, commercial,academic,etc.)
• Shareware- proprietarysoftwareprovidedtousersonatrialbasis,foralimitedtime,freeofchargeandwithlimitedfunctionalitiesorfeatures• Thegoalofsharewareistogivepotentialbuyerstheopportunitytousetheprogramandjudgeitsusefulnessbeforepurchasingalicenseforthefullversionofthesoftware
• MostcompaniesareveryleeryofShareware,becauseSharewarevendorsoftenapproachcompaniesforlargelicensepaymentsafterthesoftwarehasfreelypropagatedwithintheirorganizations.
• FreewareandSharewarearenotFOSS
PublicDomain• Thetermpublicdomainreferstointellectualpropertynotprotectedbylawandthereforeusablebythepublicwithoutrequiringalicense
• Developersmayincludeapublicdomaindeclaration withtheirsoftware• E.g.,"Allofthecodeanddocumentationinthissoftwarehasbeendedicatedtothepublicdomainbytheauthors."
• ThepublicdomaindeclarationisnotthesameasaFOSSlicense
• Apublicdomaindeclarationattemptstowaiveoreliminateanyintellectualpropertyrightsthatthedevelopersmayhaveinthesoftwaretomakeitclearthatitcanbeusedwithoutrestriction,buttheenforceabilityofthesedeclarationsissubjecttodisputewithintheFOSScommunity
• Oftenthepublicdomaindeclarationisaccompaniedbyotherterms,suchaswarrantydisclaimers.Insuchcases,thesoftwaremaybeviewedasbeingunderalicenseratherthanbeinginthepublicdomain
LicenseCompatibility• Licensecompatibilityistheprocessofensuringthatlicensetermsdonotconflict.• Ifonelicenserequiresyoutodosomethingandanotherprohibitsdoingthat,thelicensesconflictandarenotcompatibleifthecombinationofthetwosoftwaremodulestriggertheobligationsunderalicense.
• OneexampleisthattheGPLv2extendsitsobligationsto"derivativeworks."• IfasecondsoftwaremoduleiscombinedwithaGPLv2licensedmodulethatisnotaderivativeworkoftheGPLv2licensedmodule,thesecondsoftwaremoduleisnotsubjecttoGPLv2.
• Thedefinitionof"derivativework"issubjecttodifferentviewsintheFOSScommunity.
NoticesNotices,suchastextincommentsinfileheaders,oftenprovideauthorshipandlicensinginformation.FOSSlicensesmayalsorequiretheplacementofnoticesinsourcecodeordocumentationtogivecredittotheauthor(anattribution)ortomakeitclearthesoftwareincludesmodifications.• Copyrightnotice- anidentifierplacedoncopiesoftheworktoinformtheworldofcopyrightownership.Example:Copyright©A.Person(2016).
• Licensenotice - anoticethatacknowledgesthelicensetermsandconditionsoftheFOSSincludedintheproduct.
• Attributionnotice- anoticeincludedintheproductreleasethatacknowledgestheidentityoftheoriginalauthorsoftheFOSSincludedintheproduct.
• Modificationnotice– anoticethatyouhavemademodificationstothesourcecodeofafile,suchasaddingyourcopyrightnoticetothetopofthefile.
Multi-Licensing• Multi-licensingreferstothepracticeofdistributingsoftwareundertwoormoredifferentsetsoftermsandconditions• E.g.,whensoftwareis“duallicensed,”recipientscanchoosetouseordistributethesoftwareunderachoiceoftwolicenses
• Note:Thisshouldnotbeconfusedforsituationsinwhichalicensorimposesmorethanonelicense,andyoumustcomplywithallofthem
CheckYourUnderstanding• WhatisaFOSSlicense?• WhataretypicalobligationsofapermissiveFOSSlicense?• NamesomepermissiveFOSSlicenses.• Whatdoeslicensereciprocitymean?• Namesomecopyleft-stylelicenses.• Whatneedstobedistributedforcodeusedunderacopyleftlicense?• AreFreewareandSharewaresoftwareconsideredFOSS?• Whatisamulti-license?• Whatinformationmayyoufind inFOSSNotices,andhowmaythenoticesbeused?
CHAPTER 3Introduction to FOSS Compliance
FOSSComplianceGoals• Knowyourobligations(detectandtrackuseofFOSS).Youshouldhaveaprocessforidentifying,trackingandarchivingalistofallFOSScomponents(andtheirrespectiveidentifiedlicenses)fromwhichyoursoftwareiscomprised.
• SatisfyallthelicenseobligationsfortheFOSSthatisused.YourprogramshouldidentifyandhandletypicalFOSSusecasesthatresultfromyourorganization’sbusinesspractices.
WhatComplianceObligationsMustBeSatisfied?Dependingonthelicense(s)involved,obligationscouldconsistof:• AttributionandNotices. Inclusionofcopyrightandlicensetextinthesourcecodeand/orproductdocumentationoruserinterface,sothatdownstreamusersknowtheoriginofthesoftwareandtheirrightsunderthelicenses
• Sourcecodeavailability.Providingsourcecodefororiginalwork,forcombinedworkormodifications,aswellasbuildscripts(scriptsthatcontrolthebuildprocess)
Theseobligationsmaytriggeruponkeyevents,suchas:• Externaldistribution• Whetheryouhavemademodifications
FOSS Conditions & RestrictionsDepending on the FOSS license used, you may need to comply with one or more of the following types of conditions and restrictions:• Retain copyright (and other) notices• Provide a copy of the license• Provide notice of modifications• Modified versions must have a different name to avoid confusion• Provide access to source code (whether you modified it or not)• Maintain modified versions (derivative works) under the same license• Provide attribution• Do not use the project or copyright holder name or trademark • Do not restrict others of the rights granted under the original license• Termination clauses (if you breach, you lose license)
FOSS Compliance Triggers: Distribution• Dissemination of material to an outside entity
• Applications downloaded to a user’s machine or mobile device• JavaScript, web client, or other code that is downloaded to the user’s machine
• For some FOSS licenses, access via a computer network can be a “trigger event.” The trigger is"users interacting with it remotely through a computer network."• Some licenses define the trigger event to include permitting access to software running
on a server (e.g., all versions of the Affero GPL if the software is modified)
FOSS Compliance Triggers: Modification• Changes to the existing program (e.g., additions, deletions of code in a file,
combining components together)• Modifications may constitute a derivative work, and FOSS authors may limit or
place obligations on modifications• Modifications may trigger FOSS obligations, such as:
• Notice of modification• Providing accompanying source code
FOSSComplianceProgramOrganizationsthathavebeensuccessfulatFOSScompliancehavecreatedtheirownFOSSCompliancePrograms (consistingofpolicies,processes,trainingandtools)to:1. FacilitateeffectiveusageofFOSSincommercialproducts2. RespectFOSSdeveloperrightsandcomplywithlicenseobligations3. Contributeandparticipateinopencommunities
ImplementingCompliancePracticesPreparebusinessprocessesandsufficientstafftohandle:• IdentificationoftheoriginandlicenseofFOSSsoftware• TrackingFOSSsoftwarewithinthedevelopmentprocess• PerformingFOSSreviewandidentifyinglicenseobligations• Fulfillmentoflicenseobligationswhenproductships• OversightforFOSSComplianceProgram,creationofpolicy,andcompliancedecisions• Training
ComplianceBenefitsBenefitsofarobustFOSSComplianceprograminclude:
• IncreasedunderstandingofthebenefitsofFOSSandhowitimpactsyourorganization
• IncreasedunderstandingofthecostsandrisksassociatedwithusingFOSS
• BetterrelationswiththeFOSScommunityandFOSSorganizations
• IncreasedknowledgeofavailableFOSSsolutions
CheckYourUnderstanding• WhatdoesFOSScompliancemean?
• WhataretwomaingoalsofaFOSSComplianceProgram?
• ListanddescribeimportantbusinesspracticesofaFOSSComplianceProgram.
• WhataresomebenefitsofaFOSSComplianceProgram?
CHAPTER 4Key Software Concepts for FOSS Review
How do you want to use to the component?Common scenarios include:• Incorporation• Linking• Modification• Translation
IncorporationA developer may copy portions of a FOSS component into your software product.
Relevant terms include:• Integrating• Merging• Pasting• Adapting• Inserting
LinkingA developer may link or join a FOSS component with your software product.
Relevant terms include:• Static/Dynamic Linking• Pairing• Combining• Utilizing• Packaging• Creating interdependency
ModificationA developer may make changes to a FOSS component, including:
• Adding/injecting new code into the FOSS component
• Fixing, optimizing or making changes to the FOSS component
• Deleting or removing code
Fixing OptimizingChanging
AddingInjecting
Deleting
TranslationA developer may transform the code from one state to another.
Examples include:• Translating Chinese to English • Converting C++ to Java • Compiling VHDL in a mask or net list• Compiling into binary
Development ToolsDevelopment tools may perform some of these operations behind the scenes.
For example, a tool may inject portions of its own code into output of the tool.
Inject material
Modify the material
Translate the material
How is the FOSS component distributed?• Who receives the software?
• Customer/Partner• Community project
• What format for delivery?• Source code delivery• Binary delivery• Pre-loaded onto hardware
Check Your Understanding• Whatisincorporation?• Whatislinking?• Whatismodification?• Whatistranslation?• Whatfactorsareimportantinassessingadistribution?
CHAPTER 5Running a FOSS Review
FOSSReview• AkeyelementtoaFOSSComplianceProgramisaFOSSReviewprocess,throughwhichacompanycananalyzeanddetermineitsFOSSobligations
• TheFOSSReviewprocessincludesthefollowingsteps:• Gatherrelevantinformation• Analyzeanddeterminelicenseobligations• Provideguidanceinlightofcompanypolicyandbusinessobjectives
InitiatingaFOSSReview
TheFOSSReviewprocessshouldbeaccessibletoProgram/ProductManagers,EngineersandotherswhomaybeworkingwithFOSS.Note:ThisprocessmayalsostartwhenreceivingFOSS-basedsoftware fromoutsidevendors.
Initiate a FOSS Review
Product Manager
Program Manager
Engineer
Whatinformationdoyouneedtogather?WhenanalyzingFOSSusage,collectinformationabouttheidentityoftheFOSScomponent,itsorigin,andhowtheFOSScomponentwillbeused.Thismayinclude:
• Packagename• Version
• OriginaldownloadURL• LicenseandLicenseURL
• Description• Descriptionofmodifications
• Listofdependencies• Intendeduseinyourproduct
• Firstproductreleasethatwillincludethepackage
• Availabilityofsourcecode• Wherethesourcecodewillbemaintained
• Whetherthepackagehadpreviouslybeenapprovedforuseinanothercontext
• Inclusionoftechnologysubjecttoexportcontrol• Iffromanexternalvendor:
• Developmentteam'spointofcontact• Copyrightnotices,attribution,sourcecodeforvendormodificationsifneededtosatisfylicenseobligations
FOSSReviewTeam
AFOSSReviewalertsandengagesthevarioussupportgroupsthatworktogethertosupport,guide,coordinateandreviewtheuseofFOSS.Thisteammayinclude:
• Legalteamtoidentifyandevaluatelicenseobligations
• ScanningandtoolingsupportteamtohelpidentifyandtrackFOSSusage
• Specialistsworkingwithbusinessinterests,commerciallicensing,exportcompliance,etc.,whomaybeimpactedbyFOSSusage
Initiate a FOSS Review
Product Manager
Program Manager
EngineerLegal ScanningSpecialists
AnalyzingProposedFOSSUsage
TheFOSSReviewteamshouldassesstheinformationithasgatheredbeforeprovidingguidance,includingforissuessuchas:• Completeness,consistency,accuracy(codescanningtoolsmaybeusedtoscanforundisclosed FOSSusage)• Doesthedeclaredlicensematchwhatisinthecodefiles?• Doesthelicensetrulypermittheproposeduseofthesoftware?
Legal Scanning Specialists
WorkingthroughtheFOSSReview
WorkingthroughtheFOSSReviewprocessisinteractive.Theworkcrossesdisciplines,includingengineering,businessandlegalteams,andmayrequireinfollow-updiscussionsothatallpartiesunderstandtheunderlyingissues.Ultimately,theprocessshouldresultinclearguidanceonFOSSusage.
Initiate a FOSS Review
Product Manager
Program Manager
EngineerLegal ScanningSpecialists
Work
Guidance
FOSSReviewOversight
TheFOSSReviewprocessshouldhavesufficientoversightincasesofdisagreementbetweenanyofthepartiesinvolved,orwhenadecisionisparticularlyimportant.
Initiate a FOSS Review
Product Manager
Program Manager
EngineerLegal ScanningSpecialists
Work
Guidance
Executive Review Committee
CheckYourUnderstanding• WhatisthepurposeofaFOSSReview?• WhatisthefirstactionyoushouldtakeifyouwanttouseFOSScomponents?• WhatshouldyoudoifyouhaveaquestionaboutusingFOSS?• WhatkindsofinformationmightyoucollectforaFOSSreview?• Whatinformationhelpsidentifywhoislicensingthesoftware?• WhatadditionalinformationisimportantwhenreviewingaFOSScomponentfromanoutsidevendor?
• Whatstepscanbetakentoassess thequalityofinformationcollectedinaFOSSReview?
CHAPTER 6End to End Compliance Management (Example Process)
Introduction• CompliancemanagementconsistsofasetofactionsthatcontrolstheintakeanddistributionofFOSSusedinproducts(or"SuppliedSoftware"intheOpenChainspecification)
• TheresultofcomplianceduediligenceisanidentificationofallFOSSusedintheSuppliedSoftware.ItconfirmsthatallFOSSlicenseobligationshavebeenorwillbemet
• Smallcompaniesmayjustuseachecklistwhilelargerenterpriseswillhaveadetailedprocess.Thischapterprovidesanexampleofanenterpriseprocess.
Incoming FOSS
FOSS identified;FOSS obligations
metComplianceProcess
Incoming Software
Iden
tific
atio
n
Audi
t
Reso
lve
Issu
es
Revi
ews
Appr
oval
s
Regi
stra
tion
Notic
es
Verif
icat
ions
Dist
ribut
ion
Verif
icat
ions
ProprietarySoftware
3rd PartySoftware
FOSS
Outgoing Software
Notices & Attributions
Written Offer
Scan or audit source code – and –
Confirm origin andlicense of source
code
Resolve any audit issues in line withcompany FOSS policies
Identify FOSS components for
review
Verify source code packages for distribution
– and –Verify appropriate
notices are provided
Record approvedsoftware/versionin inventory per product and per
release
Publish source code,notices and provide
written offer
Review and approve compliance record of
FOSS software components
Compile noticesfor publication
Post publicationverifications
Example of Compliance Management End-to-End Process
Process Overview
• Pre-requisites:Theprocessmaybeginwithoneoftheseevents:- ThedevelopmentteamrequeststhereviewofaFOSScomponentoranoutgoingrelease
- DiscoveryofFOSSbeingusedwithoutproperauthorization
- DiscoveryofFOSSbeingusedaspartofthirdpartysoftware
• Outcome:• Acompliancerecordiscreated(orupdated)fortheFOSS
• Anauditisrequestedtoscanorreviewthesourcecode
Incoming:FOSS
Outgoing:FOSS +Mods
Iden
tific
atio
n
Audit
Resolve
Issue
s
Review
s
Approvals
Registratio
n
Notic
es
Verification
s
Distrib
ution
Verification
s
• Steps:• Incomingrequestsarerecorded• Scansofentireplatformmaybe
performed• Duediligenceonany3rd party
providedsoftware• RecognizeandreviewanyFOSS
components addedtoarepositorywithout anincomingrequest
IdentifyandbegintrackingFOSSfromallsources
Identify and Track FOSS Usage
Incoming:FOSS
Outgoing:FOSS +ModsAu
dit
iden
tification
Resolve
Issue
s
Review
s
Approvals
Registratio
n
Notic
es
Verifications
Distrib
ution
Verifications
• Pre-requisites:• Developmentteamprovidesa
compliancerecordwithinformationabouttheFOSSusage
• Incaseswherenorecordisprovidedbythedevelopmentteam,arecordcanbecreatedwhentheFOSScomponent isdiscovered
• Outcome:Anauditreportidentifyingtheoriginsandlicensesofthesourcecode
• Steps:• Sourcecodefortheauditisidentified• Sourcemaybescannedbyasoftware
tool• “Hits”fromtheauditorscanare
reviewedandverifiedastotheproperoriginofthecode
• Auditsorscansareperformediterativelybasedonthesoftwaredevelopmentandreleaselifecycles
IdentifyFOSScomponentsandtheiroriginandlicenses
Auditing Source Code
Incoming:FOSS
Outgoing:FOSS +Mods
Reso
lvin
g Is
sues
iden
tification
Audit
Review
s
Approvals
Registratio
n
Notic
es
Verifications
Distrib
ution
Verifications
• Pre-requisites:• Asourcecodeauditorscanhasbeen
completed• Anauditreportidentifiestheoriginsand
licensesofthesourcecodeandflagsfilesthatneedfurtherinvestigation
• Outcome:Aresolutionforeachoftheflaggedfilesinthereportandaresolutionforanyflaggedlicenseconflict
• Steps:• Providefeedbacktotheappropriate
engineerstoresolveissuesintheauditreportthatconflictwithyourFOSSpolicy
• Followupwithengineerstoconfirmthatthe issuesareresolved
Resolveallissuesidentifiedintheaudit
Resolving Issues
Incoming:FOSS
Outgoing:FOSS+Mods
Rev
iew
s
identification
Audit
ResolveIssues
Approvals
Registratio
n
Notices
Verifications
Distribution
Verifications
Pre-requisites:
• Sourcecodehasbeenaudited
• Allidentifiedissueshavebeenresolved
Outcome:• Ensurethesoftwareintheaudit
reportconformswithFOSSpolicies
• Preserveauditreportfindingsandmarkresolvedissuesasreadyforthenextstep(i.e.Approval)
Steps:• Includeappropriateauthority levelsin
reviewstaff
• ConductFOSSReviewsonauditedsourcecode,reviewsoftwarearchitectureandFOSSusage(seenextslidefortemplate)
• IdentifyobligationsunderFOSSlicenses
Reviewtheauditreportandconfirmanydiscoveredissuesareresolved
Performing Reviews
Proprietary
Legend
3rd PartyCommercial
GPL
LGPL
FOSSPermissive
FunctioncallSocketinterface
(fc)
(si)
Systemcall(sc)
Sharedheaders(sh)
UserSpace
KernelSpace
Hardware
[InsertComponents]
[InsertComponents]
[InsertComponents]
[Insertinteraction method]
[Insertinteraction method]
Architecture Review (Example Template)
• Basedontheresultsofthesoftwareauditandreviewinprevioussteps,
softwaremayormaynotbeapprovedforuse
• TheapprovalshouldspecifyversionsofapprovedFOSScomponents,the
approvedusagemodelforthecomponent,andanyotherapplicable
obligationsundertheFOSSlicense
• Approvalsshouldbemadeatappropriateauthoritylevels
Incoming:FOSS
Outgoing:FOSS +Mods
Appr
oval
s
iden
tification
Audit
Resolve
Issue
s
Review
s
Registratio
n
Notic
es
Verifications
Distrib
ution
Verifications
Approvals
• OnceaFOSScomponenthasbeenapprovedforusage inaproduct,it
shouldbeaddedtothesoftwareinventoryforthatproduct
• Theapprovalanditsconditionsshouldberegisteredinatrackingsystem
• Thetrackingsystemshouldmakeitclearthatanewapprovalisneededfora
newversionofaFOSScomponentorifanewusagemodelisproposed
Incoming:FOSS
Outgoing:FOSS +Mods
Regi
stra
tion
iden
tification
Audit
Resolve
Issue
s
Review
s
Approvals
Notic
es
Verifications
Distrib
ution
Verifications
Registration / Approval Tracking
• PrepareappropriatenoticesforanyFOSSusedinaproductrelease:- Acknowledge theuseofFOSSbyproviding fullcopyrightandattributionnotices- InformtheenduseroftheirproductonhowtoobtainacopyoftheFOSSsourcecode(whenapplicable,forexampleinthecaseofGPLandLGPL)
- ReproducetheentiretextofthelicenseagreementsfortheFOSScodeincluded intheproductasneeded
Incoming:FOSS
Outgoing:FOSS +ModsNo
tices
iden
tification
Audit
Resolve
Issue
s
Review
s
Approvals
Registratio
n
Verifications
Distrib
ution
Verifications
Notices
Incoming:FOSS
Outgoing:FOSS +Mods
Verif
icat
ions
iden
tification
Audit
Resolve
Issue
s
Review
s
Approvals
Registratio
n
Notic
es
Distrib
ution
Verifications
• Pre-requisites:• FOSScomponent hasbeenapprovedfor
usage• FOSScomponent hasbeenregisteredin
thesoftwareinventoryfortherelease• Appropriatenoticeshavebeen
prepared
• Outcome:• Thedistributionpackagecontainsonly
softwarethathasbeenreviewedandapproved
• "DistributedComplianceArtifacts"(asdefinedintheOpenChainspecification),includingappropriatenoticefilesareincludedinthedistributionpackageorotherdeliverymethod
• Steps:• VerifyFOSSpackagesdestined for
distributionhavebeen identifiedandapproved
• Verifythereviewedsourcecodematchesthebinaryequivalentsshippingintheproduct
• Verifyallappropriatenoticeshavebeenincluded toinformend-usersoftheirrighttorequestsourcecodeforidentifiedFOSS
• Verifycompliancewithotheridentifiedobligations
Verifythatdistributedsoftwarehasbeenreviewedandapproved
Pre-Distribution Verifications
Incoming:FOSS
Outgoing:FOSS +Mods
Dist
ribut
ion
iden
tification
Audit
Resolve
Issue
s
Review
s
Registratio
n
Notic
es
Verifications
Approvals
Verifications
• Pre-requisites:• Allpre-distributionverificationhasbeen
completedandnoissueisdiscovered
• Outcome:• Obligationstoprovideaccompanying
sourcecodearemet
• Steps:• Provideaccompanyingsourcecode
alongwithanyassociatedbuildtoolsanddocumentation(e.g.,byuploadingtoadistributionwebsiteorincludinginthedistributionpackage)
• Accompanyingsourcecodeisidentifiedwithlabelsastowhichproductandversiontowhichitcorresponds
Provideaccompanyingsourcecodeasrequired
Accompanying Source Code Distribution
Incoming:FOSS
Outgoing:FOSS +Mods
Verif
icat
ions
iden
tification
Audit
Resolve
Issue
s
Review
s
Approvals
Notic
es
Verifications
Distrib
ution
Registratio
n
• Pre-requisites:• Accompanyingsourcecodeisprovided
asmayberequired• Appropriatenoticeshavebeen
prepared
• Outcome:• VerifiedDistributedCompliance
Artifactsareappropriatelyprovided
• Steps:• Verifyaccompanyingsourcecode(if
any)hasbeenuploadedordistributedcorrectly
• Verifyuploadedordistributedsourcecodecorrespondstothesameversionthatwasapproved
• Verifynoticeshavebeenproperlypublishedandmadeavailable
• Verify other identifiedobligationsaremet
Validatecompliancewithlicenseobligations
Final Verifications
Check Your Understanding• Whatisinvolvedincomplianceduediligence(forourexampleprocess,describethestepsatahighlevel)?• Identification• Auditsourcecode• Resolvingissues• Performingreviews• Approvals• Registration/approvaltracking• Notices• Pre-distributionverifications• Accompanyingsourcecodedistribution• Verification
• Whatdoesanarchitecturereviewlookfor?
CHAPTER 7Avoiding Compliance Pitfalls
CompliancePitfallsThischapterwilldescribesomepotentialpitfallstoavoidinthecomplianceprocess:1. IntellectualProperty(IP)pitfalls2. LicenseCompliancepitfalls3. ComplianceProcesspitfalls
IntellectualPropertyPitfallsType&Description Discovery Avoidance
UnplannedinclusionofcopyleftFOSSintoproprietaryor3rdpartycode:
Thistypeoffailureoccursduringthedevelopmentprocesswhenengineersadd(orcutandpaste)FOSScodeintosourcecodethatisproprietary(toyoutoyouortoathirdparty)inconflictwithyourFOSSpolicies.
Thistypeoffailurecanbediscoveredbyscanningorauditingthe
sourcecodeforpossiblematcheswith:• FOSSsourcecode• Copyrightnotices
Automatedsourcecodescanningtoolsmaybeusedforthispurpose
Thistypeoffailurecanbeavoidedby:• Offeringtrainingtoengineeringstaff
tobringawarenesstocomplianceissuesandtothedifferenttypesandcategoriesofFOSSlicensesandtheimplicationsofincludingFOSSsourcecodeinproprietarysourcecode
• Conductingregularsourcecodescansorauditsforallthesourcecodeinthebuildenvironment(proprietary,3rd partyandFOSS)
IntellectualPropertyPitfallsType&Description Discovery Avoidance
UnplannedlinkingofcopyleftFOSSintoproprietarysourcecodeincertaincases(orviceversa):
Thistypeoffailureoccursasaresultoflinkingsoftware(FOSS,proprietary,3rd party)withconflictingorincompatiblelicenses.ThelegaleffectoflinkingissubjecttodebateintheFOSScommunity.
Thistypeoffailurecanbediscoveredusingthedependency trackingtoolthatallowsyoutodiscoverlinkagesbetweendifferentsoftwarecomponents.
Thistypeoffailurecanbeavoidedby:1. Offeringtrainingtoengineering
stafftoavoidlinkingsoftwarecomponentswithlicensesthatconflictwithyouFOSSpolicieswhichwilltakeapositiononthese legalrisks
2. Continuously runningthedependency trackingtooloveryourbuildenvironment
InclusionofproprietarycodeintocopyleftFOSSthroughsourcecodemodifications
ThistypeoffailurecanbediscoveredusingtheauditsorscanstoidentifyandanalyzethesourcecodeyouintroducedtotheFOSScomponent.
Thistypeoffailurescanbeavoidedby:1. Offeringtrainingtoengineering
staff2. Conductingregularcodeaudits
LicenseCompliancePitfallsType&Description Avoidance
FailuretoProvideAccompanyingSourceCode
Thistypeoffailurecanbeavoidedbymakingsourcecodecaptureandpublishingachecklistitemintheproductreleasecyclebeforetheproductbecomesavailableinthemarketplace.
ProvidingtheIncorrectVersionofAccompanyingSourceCode
Thistypeoffailurecanbeavoidedbyaddingaverificationstepintothecomplianceprocesstoensurethattheaccompanyingsourcecodeforthebinaryversionisbeingpublished.
FailuretoPublishAccompanyingSourceCodeforFOSSComponentModifications
Thistypeoffailurecanbeavoidedbyaddingaverificationstepintothecomplianceprocesstoensurethatsourcecodeformodificationsarepublished,ratherthanonlytheoriginalsourcecodefortheFOSScomponent
LicenseCompliancePitfalls
LicenseCompliancePitfallsType&Description Avoidance
FailuretomarkFOSSSourceCodeModifications:
FailuretomarkFOSSsourcecodethathasbeenchangedasrequiredbytheFOSSlicense
Thistypeoffailurecanbeavoidedby:1. Addingsourcecodemodificationmarkingasaverificationstepbefore
releasingthesourcecode2. Offeringtrainingtoengineeringstafftoensuretheyupdatecopyright
markingsorlicenseinformationofallFOSSorproprietarysoftwarethatisgoingtobereleasedtothepublic
ComplianceProcessFailuresDescription Avoidance Prevention
FailurebydeveloperstoseekapprovaltouseFOSS
ThistypeoffailurecanbeavoidedbyofferingtrainingtoEngineeringstaffonthecompany’sFOSSpoliciesandprocesses.
Thistypeoffailurecanbepreventedby:1. Conductingperiodicfullscanforthe
softwareplatformtodetectany“undeclared” FOSS usage
2. Offeringtrainingtoengineeringstaffonthecompany'sFOSSpoliciesandprocesses
3. Includingcomplianceintheemployeesperformancereview
FailuretotaketheFOSStraining
ThistypeoffailurecanbeavoidedbyensuringthatthecompletionoftheFOSStrainingispartoftheemployee’sprofessionaldevelopmentplananditismonitoredforcompletionaspartoftheperformancereview
ThistypeoffailurecanbepreventedbymandatingengineeringstafftotaketheFOSStrainingbyaspecificdate
ComplianceProcessFailuresDescription Avoidance Prevention
Failuretoauditthesourcecode
Thistypeoffailurecanbeavoidedby:1. Conductingperiodicsourcecodescans/audits2. Ensuringthatauditingisamilestoneinthe
iterativedevelopmentprocess
Thistypeoffailurecanbepreventedby:1. Providingproperstaffingastonot
fallbehindinschedule2. Enforcingperiodicaudits
Failuretoresolvetheauditfindings(analyzingthe"hits"reportedbyascantooloraudit)
Thistypeoffailurecanbeavoidedbynotallowingacompliancetickettoberesolved(i.e.closed)iftheauditreportisnotfinalized.
Thistypeoffailurecanbepreventedbyimplementingblocks in
approvalsintheFOSScomplianceprocess
FailuretoseekreviewofFOSSinatimelymanner
ThistypeoffailurecanbeavoidedbyinitiatingFOSSReviewrequestsearlyevenifengineeringdidnotyetdecideontheadoptionoftheFOSSsourcecode
Thistypeoffailurecanbepreventedthrougheducation
EnsureCompliancePriortoProductShipment• Companiesmustmakecomplianceaprioritybeforeanyproduct(inwhateverform)ships
• Prioritizingcompliancepromotes:• MoreeffectiveuseofFOSSwithinyourorganization• BetterrelationswiththeFOSScommunityandFOSSorganizations
Establishing Community RelationshipsAsacompanythatusesFOSSincommercialproduct,itisbesttocreateandmaintainagoodrelationshipwiththeFOSScommunity,inparticular,thespecificcommunitiesrelatedtotheFOSSprojectsyouuseanddeployinyourcommercialproduct.
Inaddition,goodrelationshipswithFOSSorganizationscanbeveryhelpfulinadvisingonbestwaytobecompliantandalsohelpoutifyouexperienceacomplianceissue.
Goodrelationshipswiththesoftwarecommunitiesmayalsobehelpfulfortwo-waycommunication:upstreamingimprovementsandgettingsupportfromthesoftwaredevelopers.
CheckYourUnderstanding• WhattypesofpitfallscanoccurinFOSScompliance?• Giveanexampleofanintellectualpropertyfailure.• Giveanexampleofalicensecompliancefailure.• Giveanexampleofancomplianceprocessfailure.• Whatarethebenefitsofprioritizingcompliance?• Whatarethebenefitsofmaintainingagoodcommunityrelationship?
