Qualcomm Technologies, Inc.

The Enemy of Open Source Compliance is……Open Source Itself

November 10, 2015

Dave Marr, VP and Legal Counsel

Presented at the Linux Compliance Summit held by the Linux Foundation in Yokohama

© 2015 Qualcomm Technologies, Inc. and/or its affiliated companies. All rights reserved.

…the views offered in these materials are those of the speaker, and not the organization by which he is employed.

The Evolution of Open Source Compliance: How Far Have We Come?

Where I think we are

What we now know

An Evolution• License proliferation can be slowed but not stopped Licenses that are “widely used and with strong communities”

• Debate and discussion of community norms makes for strong communities The Debian Free Software Guidelines GPL (pick your favorite interpreter) License as the constitution Developer Certificate of Origin But: Contribution Agreements

• The GPL is enforceable as a license

• License compliance is usually best done by copyright holders The Quakers vs. the Copyright Troll(s)

• Patents vs. open source is a false dichotomy They can play well together if approached thoughtfully Community open source projects have little to fear

o Unless your name is Jacobsen

What we don’t know

Ongoing life mysteries• Does it blend: standards, open source and and IP policies

• Why well-meaning companies continue to make mistakes

• Why our software supply chain is still full of inefficiencies Solution: OpenChain (tomorrow)

• Whether open source developers actually care about their license choices

Require engineering students to learn nothing about open source licensing

Lack of Proper Nurturing• Engineering College Instructors encourage software engineers to liberally use open source code to complete their projects, but

not require them to learn about licensing or intellectual property

Create an Ecosystem that Allows Maximal Movement of Code

…without systematic controls• Brownian movement-like behavior for code moving among open source projects

…Full of Subtle License Incompatibilities

Source: Black Duck Software

• Make determinations subjective and therefore not easily amenable to ecosystem-wide approaches

• And add many, many projects that have no license at all Copyright law: presumption is

that you need to get permission. An author’s silence is not permission.

Make You Responsible for Perfect Knowledge

Crushed it? Not.• Spotty version control history Flattening of history

• Inconsistent code management practices among projects

• You (compliance) didn’t write it

• Even if you did write some of it, each person can only vouch for what he/she wrote

• You (vis-à-vis your executives) have to vouch for the whole wad of code

• What are you going to do?

Some Words of Appreciation

It’s a good problem to have• We would not be here if open source was not incredibly valuable

• Amazing community achievement

• Genuine motivations of altruism

• They didn’t design this system, they just participate

The Root of the Problem

Good compliance is at odds with the basic motivation of open source developers• Developers want to write code, not deal with licensing

• Solution: make licensing so easy…a monkey could do it

Edge of Maturity

When an industry begins to look after itself• We’re not on anyone’s master plan

• There’s no invisible hand to guide us except enlightened self-interest

• We’re caught between two forces – “rational/objective” (market driven, predictable) and “irrational/subjective” (ethics, event-driven)

• Current dichotomy between corporate open source and grass roots open source needs planned convergence At first it was about getting access to source code for grass roots developers to develop code Most developers don’t really focus on licensing, but the few that do, really care

What We Need

Open Source Project Management Consistency – One Method to Rule Them All• On top of SPDX (assume deployed widely)

• On top of OpenChain (assume followed consistently among verticals)

1. Mechanism (crawler? check-in process?) that can be deployed on a project to check for incompatibilities

Provide notice, not prevent non-distributable combinations Metadata that is readable by a pull request

2. VCS-compatible schema for licensing Every piece of code carries its license information

3. Binary build plug-in (linker level?) that can set aside metadata for what is being compiled

4. Add to software engineering curricula a small, required, 1-2 unit course on software licensing Outreach to University Engineering Deans

The Corporate Community Pulling Together on Compliance

We already do it on open source projects, let’s do it on compliance initiatives• Participate in SPDX OpenChain FOSSology

• Some new projects still to be done

• We’re almost there

• If we work together we can make this happen

• Line up your executive support

Like these guys

Thank you

Dave Marr

dmarr@qti.qualcomm.com

• Images on Slide 3 and 15 are from The National Center for Science Education (http://ncse.com/blog/2014/08/misconception-monday-lets-stop-monkeying-shall-we-0015781)

• Image on Slide 4 is public domain

• Image on Slide 7 is from MEOR (http://meor.org/)

• Image on Slide 8 is from Jimmy Akin.org (http://jimmyakin.com/2012/05/brownian-motion-explained.html)

• Image on Slide 9 is copyrighted by Black Duck (https://www.blackducksoftware.com/resources/data/top-20-open-source-licenses)

• Image on Slide 10 is public domain (https://en.wikipedia.org/wiki/File:Finger_pointing.jpg)

• Image on Slide 12 is currently a non-copyrightable work under US administrative law

• Images on Slide 16 are Qualcomm Proprietary

Image Credits