linuxcon europe 2014: license compliance and open source software logistics for cloud-based...

© 2014 Black Duck Software, Inc. All Rights Reserved.

LICENSE COMPLIANCE AND OPEN SOURCE SOFTWARE LOGISTICS FOR CLOUD-BASED APPLICATIONS

Kirsten NewcomerDirector of Product Management, Black Duck Software

@black_duck_sw

2 © 2014 Black Duck Software, Inc. All Rights Reserved.

DISCLAIMERS

I AM NOT A LAWYER

THIS TALK DOES NOT PROVIDE LEGAL ADVICE

+

SOURCE

the future of

OPEN2014

RECORD-BREAKING RESPONSES

THE FUTURE OF OPEN SOURCE 4

12402014

8222013740

2012

4532011

SURVEYRESPONDENTS

42%vendor

58%non-

vendor5

SURVEYRESPONDENTS

ROLESSoftware engineer/developer

ANALYST CEO/founder

CIO

EDUCATOR

LINE OF BUSINESS MANAGER

MARKETING

SYSTEM ARCHITECT/ENGINEER

OTHER

VP

SALES/BUSINESS DEVELOPMENT

IT MANAGEMENT & STAFF

6

LAWYER/INVESTOR

PRESIDENT

SURVEYRESPONDENTS


THE RISE OF SaaS AMONG OPEN SOURCE VENDORS

2014SOFTWARE AS A SERVICE (SaaS)

60%SaaS MOVED TO #1 FROM 2013

201347%

201240%

7

OPEN SOURCE CENTRAL ACROSS TECHNOLOGY

MAIN AREAS WHERE OPEN SOURCE IS LEADINGTHE TECHNOLOGY INDUSTRY

63%

CLOUD/VIRTUALIZATION

57%

CONTENTMGMT

MOBILE SECURITY COLLABORATION NETWORKMGMT

SOCIALMEDIA

3D PRINTING ANALYTICS ANDBUSINESS

INTELLIGENCE

DRONES GAMING ERP

53% 51% 49% 48% 46%

27% 26%

13% 12%10%

8

OPEN API FUELS OPEN SOURCE

14%Don’t

Know/Not Sure

9%Will

Substitute for or Inhibit Growth

7%Will Have No

Impact

68%Will Reinforce

Growth/Adoption

9


WHAT ELSE DID WE LEARN?

CORPORATE PARTICIPATION IN OSS

OVER

50%OF ALL ENTERPRISES ARE EXPECTED TO CONTRIBUTE TO AND ADOPT OPEN SOURCE

11

CORPORATE PARTICIPATION IN OSS

30%MAKE IT EASY FOR EMPLOYEES TO PARTICIPATE OR START THEIR OWN OPEN SOURCE PROJECTS

12

NEW PEOPLE IMPACTING OPEN SOURCE

13

#1FACTOR IN EXPLOSION OF SMALL PROJECTS IS FIRST TIME DEVELOPERS PARTICIPATING IN OPEN SOURCE

More Important Than any Other Factor 2X


SO, HOW DOES THE RISE OF SAAS AFFECT YOU?

Odd’s are good that you’re going to be working with open source• Infrastructure as a Service (IaaS)• Platform as a Service (PaaS)• Software as a Service (SaaS)

A quick refresher is in order…

• Goals of open source licenses

• Categories of licenses


OPEN SOURCE DEFINITION

1. Free Redistribution2. Program must include Source Code and must allow

distribution in source code as well as compiled form3. Must Allow Modifications and Derived Works4. Integrity of the Author's Source Code5. No Discrimination Against Persons or Groups6. No Discrimination Against Fields of Endeavor7. Distribution of License – no additional license can

be required of others who redistribute the program8. License Must Not Be Specific to a Product9. License Must Not Restrict Other Software10.License Must Be Technology-Neutral – not

predicated on any individual technology


THE OSS LICENSE CONTINUUM

Permissive

GPL

LGPL MPL

X11/MIT

Apache

BSD

Stronger

Copyleft

Permissive licenses

Restrictive

Weaker Copyleft

AGPL


COMMON MYTHS ABOUT OPEN SOURCE

“Open source is in the public domain."

"None of these agreements are enforceable so it

doesn’t really matter anyway."

"If I don’t distribute

software, I don’t need to worry

about licensing."

"All open source licenses require the

release of source code for

everything."

"No one will ever know."

"All open source licenses are

reciprocal/copyleft…"


EVOLUTION OF SOFTWARE DELIVERY AND OPEN SOURCE LICENSES

1990 2000 2010

SaaS

Cloud

CDs

GPL V2

Google

ASP / SaaS Loophole

AGPLv1

GPLv3AGPLv3

“The GNU Affero General Public License . . . requires the operator of a network server to provide the source code of the modified version running there to the users of that server. Therefore, public use of a modified version, on a publicly accessible server, gives the public access to the source code of the modified version.”- Preamble to AGPL 3.0 license


THE GNU GPL FAMILY OF LICENSES

1991 GPL v2 Private use is un-restrictedIf you distribute object code, you must make source code available

LGPL v2 “Work that uses library” versus “Work based on library”

2002 AGPL v1 Closes the network access loophole

2007 GPL v3 System library exception Internationalization - country-neutral terminologyLicense compatibility (Apache, Affero)

2007 LGPL v3 An additional permission for GPL v3 licensed code.

2007 AGPL v3 Includes all GPLv3 terms and adds “Network Use” clause • Network Use Clause: Source code sharing obligation

also extends to “all users who access through a computer network”


MORE ABOUT INTERNATIONALIZATION

Rights are tied to laws in specific countries; you do not have “copyright” but UK copyright, US copyright, French copyright, German copyright, etc.

Point of interest: English tradition views copyright as an industrial rightContinental tradition views copyright as the right of the artist

GPL v2 is tightly tied to US copyright law• Legislative history and case law define “Distribution,” “public

distribution,” “limited distribution” • Distribution means one thing in US and another in Europe• Even the term “public” has a long legal history in US

It is impossible to say anything about “distribution” of copyrighted works that is globally accurate.


THE GNU GPLV3

GPL v3 changes language to use contract terms• Convey

• To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying

• Propagate• To “propagate” a work means to do anything with it that, without

permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.

BUT, intentionally does not close SaaS loophole


THE AGPL V3

Includes all GPLv3 terms and “Network Use” clause

Network Use Clause: Source code sharing obligation also extends to “all users who access through a computer network”

The network use clause is set forth below: “Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.”


GPLV3 INTERACTION WITH AFFERO GENERAL PUBLIC LICENSE

GPLV3 does not incorporate the Affero General Public License requirements into GPLV3But it does build a bridge…Section 13. of GPLV3 Use with the GNU Affero General Public License:

• Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.


NUMBER OF PROJECTS WITH AGPL-LIKE LICENSES

Source: Black Duck KnowledgeBase(Did not include Apple Public Source License in analysis)

Over 1000 projects use AGPLv3

https://www.blackducksoftware.com/products/knowledgebase

https://www.blackducksoftware.com/products/knowledgebase


INDIVIDUAL SAAS LICENSE MARKET SHAREAS A PERCENTAGE OF TOTAL SAAS LICENSE MARKET

Rank License %

1 GNU Affero General Public License v3.0 53.93%

2 Open Software License 2.0 21.07%

3 Affero General Public License v 1.0 7.61%


5 Common Public Attribution License 1.0 5.72%

6 Academic Free License v3.0 1.95%



9 Non-Profit Open Software License 3.0 0.22%

10 Honest Public License 0.06%

11 Rumba Exception to Gnu Affero General Public License V3.0 0.03%

12 Zarafa Affero 3 License 0.03%



AGPL-LIKE LICENSES DISCOVERED IN AUDITS

Source: Black Duck Audit Data


APPLE PUBLIC SOURCE LICENSE

Unique license from Apple

1.4 "Externally Deploy" means: (a) to sublicense, distribute or otherwise make Covered Code available, directly or indirectly, to anyone other than You; and/or (b) to use Covered Code, alone or as part of a Larger Work, in any way to provide a service, including but not limited to delivery of content, through electronic communication with a client other than You.

If You Externally Deploy Your Modifications, You must make Source Code of all Your Externally Deployed Modifications either available to those to whom You have Externally Deployed Your Modifications, or publicly available. Source Code of Your Externally Deployed Modifications must be released under the terms set forth in this License, including the license grants set forth in Section 3 below, for as long as you Externally Deploy the Covered Code or twelve (12) months from the date of initial External Deployment, whichever is longer. You should preferably distribute the Source Code of Your Externally Deployed Modifications electronically (e.g. download from a web site).


COMMON PUBLIC ATTRIBUTION LICENSE

Drafted for Socialtext prior to AGPLv3, Mozilla Public License with “External Deployment” provisions

15. ADDITIONAL TERM: NETWORK USE. The term “External Deployment” means the use, distribution, or communication of the Original Code or Modifications in any way such that the Original Code or Modifications may be used by anyone other than You, whether those works are distributed or communicated to those persons or made available as an application intended for use over a network. As an express condition for the grants of license hereunder, You must treat any External Deployment by You of the Original Code or Modifications as a distribution under section 3.1 and make Source Code available under Section 3.2.


OPEN SOFTWARE LICENSE/ACADEMIC FREE LICENSE

Unique licenses which use “External Deployment” concept to extend requirements to provide source code to network use as well as distribution:

5) External Deployment. The term "External Deployment" means the use, distribution, or communication of the Original Work or Derivative Works in any way such that the Original Work or Derivative Works may be used by anyone other than You, whether those works are distributed or communicated to those persons or made available as an application intended for use over a network. As an express condition for the grants of license hereunder, You must treat any External Deployment by You of the Original Work or a Derivative Work as a distribution under section 1(c).


HONEST PUBLIC LICENSE

This license is a modified version of the GNU General Public License copyright (C) 1989, 1991 Free Software Foundation, Inc. and has been made with their permission, but has not been endorsed by the Free Software Foundation. Section 2(d) has been added to cover use of software over a computer network.

b) You must cause any work that you distribute, communicate to the public or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.


Applications are made up of many parts, with, often, many licenses

• AGPL• Apache• BSD• Commercial

Many SaaS applications have downloadable plug-ins with additional licenses, such as

• GPL- JavaScript

It’s important to evaluate compatibility• Licenses may include provisions which may be incompatible with

the obligations of other licenses• Even when license obligations can be incompatible, the issue is

whether the obligations are triggered• Be aware of file-level licenses as well; not all files in a project have

the same license

PARTICULAR CHALLENGES COME WITH LICENSE COMBINATIONS


NOW ADD IN DOCKER…

Download Browser App

Download Mobile App

Download Desktop App


DOES DOCKER CHANGE THINGS?

• Docker is increasing the use of containers• We seem to be on the verge of another delivery paradigm shift• Are there any special considerations for OSS licenses when used in

software distributed in containers?• What kind of a distribution, or conveyance, is a Docker container?

• Does it depend on where it’s deployed?• You created it and you deploy it to your private cloud• You created it and you make it available for download in Docker Hub

• What legal obligations do you have?• How do you manage those obligations?

• How does the down-stream consumer of the container know what obligations she incurs when deploying your container• for in-house use• For use in an externally facing SaaS application• For use by another downstream application

• Does the fact that the container is fully encapsulated change anything?

• How will you determine what the combination of licenses and obligations are for the contents of a Docker image that you download?

• Will new license terms emerge in response to Docker containers?


TECHNICAL DECISIONS HAVE LEGAL IMPLICATIONS

Choosing a FOSS project requires both legal and technical evaluation Compliance is

mission criticalMust understand the legal obligations as well as the code, and the community

Security matters too, especially with Service solutions


Knowing what open source you

use.

Knowing where your

open source is used.

Knowing how your open source is deployed.

Using open source code in

a compliant way.

Knowing what your legal obligations

are.

Working with community to maintain

the open source you

use.

Understanding the security of your open

source.

Participating effectively in

the open source

ecosystem.

OSS LOGISTICS IS ABOUT…


TO DO THE RIGHT THING, YOU NEED TO KNOW

Strategy• The business objectives for your

application

License(s) & Obligations• The set of obligations associated

with your use of open source

Technology• Automation to provide visibility,

control and assist with compliance

Tens of thousands of developers leverage the GPL every day, and do it in compliance with its obligations; the community will do the same for AGPL

THANK YOU

QUESTIONS?

[email protected]

mailto:[email protected]

linuxcon europe 2014: license compliance and open source software logistics for cloud-based...

Technology

open source softwarelogistics

open sourceopen source

open source central

open source infrastructure

open source projects12

open source definition1

black duck software

open sourcevendors2014software