open source paris think tank 2010 final
TRANSCRIPT
-
8/8/2019 Open Source Paris Think Tank 2010 Final
1/16
Open Source Paris Think Tank
2010: Legal Issues
Mark Radcliffe (Silicon Valley), [email protected]
Carol Umhoefer (Paris) [email protected]
Thomas Jansen (Munich) [email protected]
-
8/8/2019 Open Source Paris Think Tank 2010 Final
2/16
2
Global Locations
A global organization 69 offices in 30 countries
3,500 lawyers
8,000 people worldwide
Over 1,500 lawyers on each
side of theA
tlantic Major presence in Asia
Only global law firm with
strategic focus on technology
and emerging growth
-
8/8/2019 Open Source Paris Think Tank 2010 Final
3/16
3
New Reality of Software Development
Software development has changed forever
Internet, community development & open source software (OSS) licensing
Componentization and re-use
Recent surveys confirm OSS has gone mainstream
When it comes to Enterprise IT adoption, Open Source has Crossed the Chasm
Business critical OSS systems exist; they work and they scale
US catching us with Europe
Focus in 2010 is on improving business process and supporting company growth.
Jeff Hammond, Forrester, OSS Adoption Patterns in Enterprise IT, August 2010
Product companies believe open source is changing the way business operates IT
Accenture Open Source Research, Industry Findings, August 2010
Black Duck Survey at SD West (March 11, 2009):
Only 22% of those surveyed reported that their organizations have explicit
management policies and procedures in place
Only 40% of larger companies with more than 500 developers had explicit
management policies
-
8/8/2019 Open Source Paris Think Tank 2010 Final
4/16
4
2009/2010: Legal Year in Review
Rise of litigation
Microsoft v. TomTom
Oracle v. Google
Artifex v. Palm
AFPA v. Edu4
Jacobsen decision undercut by District Court
Remedy issue
Copyright: injunctive relief/statutory damages
Contract: monetary damages
Case settles with payment to Jacobsen
Open Source: M&A
Delays Oracle merger with Sun
Enforcement of GPL continues
Busybox: SFLC files more suits
Welte (gpl violations): Dell (A
ndroid); Free (France)
-
8/8/2019 Open Source Paris Think Tank 2010 Final
5/16
5
2010: New Legal Issues
Patents & open source
TurboHercules and IBM
Oracle v. Google
Different results in different legal cultures (civil v. common law, e.g., France)
Rise of hybrid products and potential for conflicting license obligations
New issues: open source in the cloud
Increased scrutiny in use of open source in supply chain: diligence
questionnaires
Greater scrutiny in M&A
Contribution agreements: assignment v. license More tools: Binary Analysis Tool/Linux Foundation tools
-
8/8/2019 Open Source Paris Think Tank 2010 Final
6/16
6
Reasons for an Open Source Policy
Role of a policy
Manage risk
Ensure strategic flexibility
Unusual OSS risks
Automatic termination of GPL
Uncertain scope of GPL
Broad scope of patent termination in MPL
Forking of code
Customers are demanding to know what is in your product
Compliance important for financings/M&A
IT staff turn over and difficulty of following up
Enforcement increasing by commercial and non commercial licensors
Commercial: Artifex; Oracle
Non commercial: Welte; SFLC
-
8/8/2019 Open Source Paris Think Tank 2010 Final
7/16
7
Overview of Open Source Policy
Cross functional
Product Planning/Management
Legal, Security & Export Compliance (including encryption)
Engineering
Integrated Processes
Component Management
License Management
Release Management
Release Planning
Release Delivery
Security Review
Export Compliance Review
-
8/8/2019 Open Source Paris Think Tank 2010 Final
8/16
8
Best Practices: Strategy
Systemic
Baked in to the culture & workflow
Event Driven
Component approval request
Planning a release
Accepting a code drop from a vendor/outsourcer
Performing a build
Creating a release
Embrace Supply Chain Techniques
ERP systems brought together different users and processes
Workflow automates task creation
Notifications
Process Monitoring
Central repositories of data
Business Process Integration is the key
-
8/8/2019 Open Source Paris Think Tank 2010 Final
9/16
9
Best Practices: Structure
Define criteria for approved software
Licenses
Use (internal/product/website)
Sources
Support
Other
Define criteria for unapproved software
Scope of application: internal development, independent contractor,
outsource vendors, M&A
Define conditions for participating in the Open Source Software development
Employee Education
No compliance without education
-
8/8/2019 Open Source Paris Think Tank 2010 Final
10/16
10
Best Practices: Coverage
Define how development teams and other functions Search, select, approve, track, validate, track & monitor
Inbound approval processes
Code from internal teams, external sources
Outbound compliance processes
Distributed code
Create a baseline of your code
Prioritize
Perform code analysis
Plan remediation
Document the origins of the code base
Determine all components and licenses in use
Verify usage is approved
Create a catalogue of approved components and licenses
Validation processes
-
8/8/2019 Open Source Paris Think Tank 2010 Final
11/16
11
Commercial Tools for OSS Management
Commercial Tools
Black Duck Software
Palamida
OpenLogic
-
8/8/2019 Open Source Paris Think Tank 2010 Final
12/16
12
OSS Management: Community Initiatives
1. Software Package Data Exchange (SPDX) specification is a standardformat for communicating the components, licenses and copyrights
associated with a software package www.spdex.org
2. The Linux Foundation has developed tools to assist in determining and
managing open source
www.linuxfoundation.org/programs/legal/compliance/tools
3. HP has made its open source scanning tools available through Fossology
www.fossology.org
4. GPL violations has made its binary scanning tools available
www.binaryanalysis.org/en/content/show/download
5. Project Harmony: informal group of lawyers and industry members who are
discussing the role of contribution agreements in open source projects
-
8/8/2019 Open Source Paris Think Tank 2010 Final
13/16
13
Common Mistakes in OSS Policies
Legalese: make it understandable
General policy intended for certain products/business model/groups
Failure to cover other sources of software: consultants, m&a, third party
licensors
Policy too strict so VOA: Violated on Arrival
Does not allow for edge cases
Does not provide for modification to meet changes in business
model/products
-
8/8/2019 Open Source Paris Think Tank 2010 Final
14/16
14
Open Source in M&A
Separate diligence process Cisco
Verisign
Due diligence issues:
What is the OSS use policy?
How is it implemented?
Government scrutiny
MySQL in Oracle/Sun merger
Special OSS legal issues
Inability to assign most OSS licenses
What is distribution? Experience
Increase in escrow amount and duration
Reduction in price
-
8/8/2019 Open Source Paris Think Tank 2010 Final
15/16
15
Open Source in the Cloud
Most OSS license obligations are triggered by distribution but somelicenses are triggered by making available over a computer network
AGPL
OSL
CPAL
What does distribution mean in the cloud
Does control of servers make a difference?
Does provision of services by third parties other than the initial licensor (i.e. surge
third party providers) make a difference?
How to comply with OSS license obligations when the location of the computers is
unknown?
What about use of OSS by cloud computing vendors and potential effects on
cloud user software?
-
8/8/2019 Open Source Paris Think Tank 2010 Final
16/16
16
Conclusions
Open source is ubiquitous: pure commercial software companies do notexist even Microsoft calls itself a hybrid
Companies need to implement OSS management solutions to respond to
customers who are asking about OSS in inbound products
Mistakes can be expensive because of increase in litigation
Open source issues spread throughout all types of corporate activity:
M&A
Litigation settlements
Many critical issues remain uncertain
What business models will be successful
Role of governments