Licensing in Composite Open Source Projects

1Confidential Protecode Inc. 2014

Licensing in Composite Projects

Protecode Webinar Series

December 2014

Confidential Protecode Inc. 2014 2

Agenda

Open Source Software Adoption and Creation

OSS Structure: Genesis vs Composite Projects

Licensing in Composite OSS Projects

Examples

Wrap-up and Q/A

Tiberius Forrester,Director, Solution

[email protected]


OSS Market Penetration

Unstoppable growth– 85% industry adoption (Gartner 2008)– 98% worldwide adoption (Accenture 2010)– 99% worldwide adoption (By 2016, Gartner)

Adoption at various levels– Organizational level– Personal level

Not a niche play– Automotive, healthcare, financial– Cloud, mobile, database, security– Gaming, tools, imaging, aerospace– Anything that includes any code!


Open Source Software

What is OSS– A software development and distribution model where software license

guarantees certain freedoms– Also see OSI definition (http://opensource.org)

The value– Faster, functions, easier integration and customisation– Interoperability, adoption of open standards– No license costs – Freedom from vendor lock ins– Allows rapid development of complex software systems– Hundreds of thousands of projects available

• Protecode GIPS Statistics:– 2.2M packages, – 0.5B OSS files– 20B lines of code!

http://opensource.org/

http://opensource.org/


Adoption in Technology Organizations

Organizations and OSS– Risk assessment

• Risk of being involved vs risk of not being involved

– Consideration -> Adoption -> Integral part of business

The most common factors affecting use of OSS in software projects– Concerns regarding intellectual property / licensing– Concerns regarding the security of the software– Service & support– Product capabilities/maturity– Difficulty of adoption / integration– Software quality – end user satisfaction– Software enhancements – innovation over time– Viability of the open source community


Licensing challenges of OSS

Produced by large number of developers over time– Bazaar model: policy of fast and frequent releases, release

candidates, possibility of governance impairments

Questionable due diligence efforts of committers– Re-licensing efforts may not have been correctly handled

Code may: – Contain nested packages with their own set of issues– Contain code from books or community websites– Implement patents– Implement specifications that are subject to a license– Contain code generated by a tool where the output could

be a derivative of input– Contain or implement APIs that may have their own

obligations


OSS Project Communities

Provide support infrastructure– Organizational, legal and in most cases financial

• Funding through membership fees

Examples:– Linux Foundation– Apache Software Foundation– Eclipse Foundation– Mozilla, Openstack, Django, Internet System Consortium (BIND

project), OpenLDAP, Drupal, Postgres, OpenSSL

Established processes for – Defining governance & policies– Managing collaboration, security, documentation, conflicts

Generally associated with continuous innovation, trusted licensing, peer-reviewed quality


OSS Project Types

Genesis– Homogenous licensing– Original content, no 3rd party included in packagesExample: log4j

Composite– Mixed or homogenous licensing– Some original content, some 3rd partyExample: Vaadin

Distributions– Mostly mixed licensing– Mostly repackaged 3rd party– Generally well structured, many packagesExample: 4MLinux

lib


Licensing in Composite Projects Project license

– A top level license, or top level document listing applicable licenses– Look for website information, LICENSE, COPYING, or README files

Subfolder licenses– Indicate sub-level OSS projects– Not always present

File licenses

Exceptions: subfolder holding binaries or libraries– Generally do not have a license document– You are on your own to determine the binary or library licenses

Beware: binaries may expand into many subcomponents– With their own (hidden or undeclared) licenses


Licenses and Copyrights in Headers

Source: analysis of 0.5 Billion OSS files in Protecode GIPSTM Database


Project and License Mixes

Percentage of OSS packages and variety of licenses mentioned in the file headers


License Compatibility

Licenses with unacceptable terms

Licenses with conflicting terms– Not all licenses are compatible– Example: GPL (and its varieties) are incompatible with most other

licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)

https://www.gnu.org/licenses/license-list.html

https://www.gnu.org/licenses/license-list.html


Copyleft vs Permissive Licenses


Composite Project 1

Grails (www.grails.org)– Open source web application framework

TF

http://www.grails.org/


Composite Project 2

PhantomJS (BSD licensed, but includes QT, and other LGPL licensed libraries)

TF


Composite Project 3

OggCodecs – Directshow filters for Ogg Vorbis

Package analysed: 0.61.7571


More details in “flac” subfolder …

Care must be taken to – investigate the whole package permissions, – remove unnecessary files, or – use later versions


Wrap up

If you do not use open source software, you will be left out– Managed adoption of open source software

Open source projects are composite projects– … unless proven otherwise– Declared licenses may not match the visible, or hidden, sublicenses

OSS packages released by formal OSS communities are preferred

Compliance requires– Knowledge of what OSS packages are used– Access to OSS package, its licenses, description and notes– Scanning of the package, determination of its composite nature, declared and

hidden licenses– Ensuring the terms of the sublicenses are compatible and acceptable.– Removing any component that is not needed

Prevention works better than correction– Package pre-approval, due diligence during development, and at build time


About Protecode

Open source compliance and security vulnerability management solutions

– Reduce IP uncertainties, manage security vulnerabilities and ensure compliance

Accurate, usable and reliable products and services for organizations worldwide


Q/A

Confidential Protecode Inc. 2014

Because Code Travelswww.protecode.com