open source paris think tank 2010 final

8/8/2019 Open Source Paris Think Tank 2010 Final

1/16

Open Source Paris Think Tank

2010: Legal Issues

Mark Radcliffe (Silicon Valley), [email protected]

Carol Umhoefer (Paris) [email protected]

Thomas Jansen (Munich) [email protected]


2/16

2

Global Locations

A global organization 69 offices in 30 countries

3,500 lawyers

8,000 people worldwide

Over 1,500 lawyers on each

side of theA

tlantic Major presence in Asia

Only global law firm with

strategic focus on technology

and emerging growth


3/16

3

New Reality of Software Development

Software development has changed forever

Internet, community development & open source software (OSS) licensing

Componentization and re-use

Recent surveys confirm OSS has gone mainstream

When it comes to Enterprise IT adoption, Open Source has Crossed the Chasm

Business critical OSS systems exist; they work and they scale

US catching us with Europe

Focus in 2010 is on improving business process and supporting company growth.

Jeff Hammond, Forrester, OSS Adoption Patterns in Enterprise IT, August 2010

Product companies believe open source is changing the way business operates IT

Accenture Open Source Research, Industry Findings, August 2010

Black Duck Survey at SD West (March 11, 2009):

Only 22% of those surveyed reported that their organizations have explicit

management policies and procedures in place

Only 40% of larger companies with more than 500 developers had explicit

management policies


4/16

4

2009/2010: Legal Year in Review

Rise of litigation

Microsoft v. TomTom

Oracle v. Google

Artifex v. Palm

AFPA v. Edu4

Jacobsen decision undercut by District Court

Remedy issue

Copyright: injunctive relief/statutory damages

Contract: monetary damages

Case settles with payment to Jacobsen

Open Source: M&A

Delays Oracle merger with Sun

Enforcement of GPL continues

Busybox: SFLC files more suits

Welte (gpl violations): Dell (A

ndroid); Free (France)


5/16

5

2010: New Legal Issues

Patents & open source

TurboHercules and IBM

Oracle v. Google

Different results in different legal cultures (civil v. common law, e.g., France)

Rise of hybrid products and potential for conflicting license obligations

New issues: open source in the cloud

Increased scrutiny in use of open source in supply chain: diligence

questionnaires

Greater scrutiny in M&A

Contribution agreements: assignment v. license More tools: Binary Analysis Tool/Linux Foundation tools


6/16

6

Reasons for an Open Source Policy

Role of a policy

Manage risk

Ensure strategic flexibility

Unusual OSS risks

Automatic termination of GPL

Uncertain scope of GPL

Broad scope of patent termination in MPL

Forking of code

Customers are demanding to know what is in your product

Compliance important for financings/M&A

IT staff turn over and difficulty of following up

Enforcement increasing by commercial and non commercial licensors

Commercial: Artifex; Oracle

Non commercial: Welte; SFLC


7/16

7

Overview of Open Source Policy

Cross functional

Product Planning/Management

Legal, Security & Export Compliance (including encryption)

Engineering

Integrated Processes

Component Management

License Management

Release Management

Release Planning

Release Delivery

Security Review

Export Compliance Review


8/16

8

Best Practices: Strategy

Systemic

Baked in to the culture & workflow

Event Driven

Component approval request

Planning a release

Accepting a code drop from a vendor/outsourcer

Performing a build

Creating a release

Embrace Supply Chain Techniques

ERP systems brought together different users and processes

Workflow automates task creation

Notifications

Process Monitoring

Central repositories of data

Business Process Integration is the key


9/16

9

Best Practices: Structure

Define criteria for approved software

Licenses

Use (internal/product/website)

Sources

Support

Other

Define criteria for unapproved software

Scope of application: internal development, independent contractor,

outsource vendors, M&A

Define conditions for participating in the Open Source Software development

Employee Education

No compliance without education


10/16

10

Best Practices: Coverage

Define how development teams and other functions Search, select, approve, track, validate, track & monitor

Inbound approval processes

Code from internal teams, external sources

Outbound compliance processes

Distributed code

Create a baseline of your code

Prioritize

Perform code analysis

Plan remediation

Document the origins of the code base

Determine all components and licenses in use

Verify usage is approved

Create a catalogue of approved components and licenses

Validation processes


11/16

11

Commercial Tools for OSS Management

Commercial Tools

Black Duck Software

Palamida

OpenLogic


12/16

12

OSS Management: Community Initiatives

1. Software Package Data Exchange (SPDX) specification is a standardformat for communicating the components, licenses and copyrights

associated with a software package www.spdex.org

2. The Linux Foundation has developed tools to assist in determining and

managing open source

www.linuxfoundation.org/programs/legal/compliance/tools

3. HP has made its open source scanning tools available through Fossology

www.fossology.org

4. GPL violations has made its binary scanning tools available

www.binaryanalysis.org/en/content/show/download

5. Project Harmony: informal group of lawyers and industry members who are

discussing the role of contribution agreements in open source projects


13/16

13

Common Mistakes in OSS Policies

Legalese: make it understandable

General policy intended for certain products/business model/groups

Failure to cover other sources of software: consultants, m&a, third party

licensors

Policy too strict so VOA: Violated on Arrival

Does not allow for edge cases

Does not provide for modification to meet changes in business

model/products


14/16

14

Open Source in M&A

Separate diligence process Cisco

Verisign

Due diligence issues:

What is the OSS use policy?

How is it implemented?

Government scrutiny

MySQL in Oracle/Sun merger

Special OSS legal issues

Inability to assign most OSS licenses

What is distribution? Experience

Increase in escrow amount and duration

Reduction in price


15/16

15

Open Source in the Cloud

Most OSS license obligations are triggered by distribution but somelicenses are triggered by making available over a computer network

AGPL

OSL

CPAL

What does distribution mean in the cloud

Does control of servers make a difference?

Does provision of services by third parties other than the initial licensor (i.e. surge

third party providers) make a difference?

How to comply with OSS license obligations when the location of the computers is

unknown?

What about use of OSS by cloud computing vendors and potential effects on

cloud user software?


16/16

16

Conclusions

Open source is ubiquitous: pure commercial software companies do notexist even Microsoft calls itself a hybrid

Companies need to implement OSS management solutions to respond to

customers who are asking about OSS in inbound products

Mistakes can be expensive because of increase in litigation

Open source issues spread throughout all types of corporate activity:

M&A

Litigation settlements

Many critical issues remain uncertain

What business models will be successful

Role of governments

open source paris think tank 2010 final

Documents