licensing in composite open source projects
TRANSCRIPT
1Confidential Protecode Inc. 2014
Licensing in Composite Projects
Protecode Webinar Series
December 2014
Confidential Protecode Inc. 2014 2
Agenda
Open Source Software Adoption and Creation
OSS Structure: Genesis vs Composite Projects
Licensing in Composite OSS Projects
Examples
Wrap-up and Q/A
Tiberius Forrester,Director, Solution
Confidential Protecode Inc. 2014 3
OSS Market Penetration
Unstoppable growth– 85% industry adoption (Gartner 2008)– 98% worldwide adoption (Accenture 2010)– 99% worldwide adoption (By 2016, Gartner)
Adoption at various levels– Organizational level– Personal level
Not a niche play– Automotive, healthcare, financial– Cloud, mobile, database, security– Gaming, tools, imaging, aerospace– Anything that includes any code!
Confidential Protecode Inc. 2014 4
Open Source Software
What is OSS– A software development and distribution model where software license
guarantees certain freedoms– Also see OSI definition (http://opensource.org)
The value– Faster, functions, easier integration and customisation– Interoperability, adoption of open standards– No license costs – Freedom from vendor lock ins– Allows rapid development of complex software systems– Hundreds of thousands of projects available
• Protecode GIPS Statistics:– 2.2M packages, – 0.5B OSS files– 20B lines of code!
Confidential Protecode Inc. 2014 5
Adoption in Technology Organizations
Organizations and OSS– Risk assessment
• Risk of being involved vs risk of not being involved
– Consideration -> Adoption -> Integral part of business
The most common factors affecting use of OSS in software projects– Concerns regarding intellectual property / licensing– Concerns regarding the security of the software– Service & support– Product capabilities/maturity– Difficulty of adoption / integration– Software quality – end user satisfaction– Software enhancements – innovation over time– Viability of the open source community
Confidential Protecode Inc. 2014 6
Licensing challenges of OSS
Produced by large number of developers over time– Bazaar model: policy of fast and frequent releases, release
candidates, possibility of governance impairments
Questionable due diligence efforts of committers– Re-licensing efforts may not have been correctly handled
Code may: – Contain nested packages with their own set of issues– Contain code from books or community websites– Implement patents– Implement specifications that are subject to a license– Contain code generated by a tool where the output could
be a derivative of input– Contain or implement APIs that may have their own
obligations
Confidential Protecode Inc. 2014 7
OSS Project Communities
Provide support infrastructure– Organizational, legal and in most cases financial
• Funding through membership fees
Examples:– Linux Foundation– Apache Software Foundation– Eclipse Foundation– Mozilla, Openstack, Django, Internet System Consortium (BIND
project), OpenLDAP, Drupal, Postgres, OpenSSL
Established processes for – Defining governance & policies– Managing collaboration, security, documentation, conflicts
Generally associated with continuous innovation, trusted licensing, peer-reviewed quality
Confidential Protecode Inc. 2014 8
OSS Project Types
Genesis– Homogenous licensing– Original content, no 3rd party included in packagesExample: log4j
Composite– Mixed or homogenous licensing– Some original content, some 3rd partyExample: Vaadin
Distributions– Mostly mixed licensing– Mostly repackaged 3rd party– Generally well structured, many packagesExample: 4MLinux
lib
Confidential Protecode Inc. 2014 9
Licensing in Composite Projects Project license
– A top level license, or top level document listing applicable licenses– Look for website information, LICENSE, COPYING, or README files
Subfolder licenses– Indicate sub-level OSS projects– Not always present
File licenses
Exceptions: subfolder holding binaries or libraries– Generally do not have a license document– You are on your own to determine the binary or library licenses
Beware: binaries may expand into many subcomponents– With their own (hidden or undeclared) licenses
Confidential Protecode Inc. 2014 10
Licenses and Copyrights in Headers
Source: analysis of 0.5 Billion OSS files in Protecode GIPSTM Database
Confidential Protecode Inc. 2014 11
Project and License Mixes
Percentage of OSS packages and variety of licenses mentioned in the file headers
Confidential Protecode Inc. 2014 12
License Compatibility
Licenses with unacceptable terms
Licenses with conflicting terms– Not all licenses are compatible– Example: GPL (and its varieties) are incompatible with most other
licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)
Confidential Protecode Inc. 2014 14
Composite Project 1
Grails (www.grails.org)– Open source web application framework
TF
Confidential Protecode Inc. 2014 15
Composite Project 2
PhantomJS (BSD licensed, but includes QT, and other LGPL licensed libraries)
TF
Confidential Protecode Inc. 2014 16
Composite Project 3
OggCodecs – Directshow filters for Ogg Vorbis
Package analysed: 0.61.7571
Confidential Protecode Inc. 2014 17
More details in “flac” subfolder …
Care must be taken to – investigate the whole package permissions, – remove unnecessary files, or – use later versions
Confidential Protecode Inc. 2014 18
Wrap up
If you do not use open source software, you will be left out– Managed adoption of open source software
Open source projects are composite projects– … unless proven otherwise– Declared licenses may not match the visible, or hidden, sublicenses
OSS packages released by formal OSS communities are preferred
Compliance requires– Knowledge of what OSS packages are used– Access to OSS package, its licenses, description and notes– Scanning of the package, determination of its composite nature, declared and
hidden licenses– Ensuring the terms of the sublicenses are compatible and acceptable.– Removing any component that is not needed
Prevention works better than correction– Package pre-approval, due diligence during development, and at build time
Confidential Protecode Inc. 2014 19
About Protecode
Open source compliance and security vulnerability management solutions
– Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
Accurate, usable and reliable products and services for organizations worldwide