understanding open source licensing to deliver “clean” software kamal hassin fosslc summercamp...

Understanding open source licensing to

deliver “clean” software

Kamal Hassin

FOSSLC Summercamp 2009May 14, 2009

May 14, 2009 FOSSLC Summercamp 2009 2

Agenda

• Background

• Open source licensing

• Best practices

• Clean IP

• Business implications


“Mixed-IP” environment

• Code re-use makes sense

• Access to code is fast and easy

• Developers carry code with them

• Distributed development and outsourcing is common

• Collaboration and plagiarism is increasing


Open source policies

“Which of the following best describes your firm’s formal policy towards OSS?”

Source: Jeffrey Hammond, Principal Analyst, Forrester ResearchInfoWorld OSBC, March 2009http://www.eclipse.org/org/foundation/membersminutes/20090326StrategySummit/OSS-WYPAUT3_JeffreyH.pdf


Who cares?

• Buyers and sellers of software

• Software company executives

• Software development managers

• Technology transfer officers

• Lawyers


License fundamentals

• Closed versus open

• Purpose of open source licenses– Protect IP rights of authors and owners– Make source code available (according to conditions)– Outline obligations and restrictions

• 65 OSI-approved licenses (May 2009)– Ensure credibility and user confidence

• Finding the right fit


Licensing spectrum

Attribution Distribution

LGPL 2.1

GPL 2.0BSD

MIT Apache

CPL Eclipse Mozilla

IBM

Public domain


Code usage and interaction

License spectrum:

BSD LGPL GPL

Adapted from Black Duck Software (2007)

Separate work

Dynamic library Module File or

fragmentSeparate

workDynamic

libraryModule File or

fragmentSeparate

workDynamic

library Module File or fragment

Code integration:

Separate Integrated


License interpretation

• “Low risk” can still equal high cost– Veritas v. Microsoft

• Language is complex, evolving, and open to interpretation– Jacobsen v. Katzer

• Embedded systems can be surprising– Free Software Foundation v. Cisco/Linksys


License infringement

• Enforced injunction depends on legal processes, but the gap is closing

• Some customers are demanding indemnification from software companies

• Any company that is a defendant in third party IP litigation ends up with losses

• “Sticking your head in the sand” is not a solution


License enforcement

• Incipient case law, reliance on industry and adoption practices

• Organized GPL enforcement– Gpl-violations.org– Free Software Foundation– Software Freedom Law Center

• How do we use this stuff legally?

• What is my organization’s IP policy?


License compliance best practices

• Define an IP policy based on organization’s goals and choose solutions that help implement it

• Consider preventive versus corrective solutions

• Improve due diligence processes– Education– Explicit checks and manual examination– Automated tools


License compliance best practices

• Continuously track code pedigree and licenses for all external contributions– What is its origin?– Who wrote it?– How will I use it?– Does it comply with my IP policy?

• Integrate license compliance solutions into existing development processes with minimal disruption


Clean IPClean IP variable

Clean IP level1 2 3 4

A. Preventive measures

Policies exist Policies enforced Some education

Company-wide policies Periodic monitoring

Project-oriented policies Full education Real-time monitoring

B. License compliance tools

Manual string searches In-house tools

Bill of materials generation Automated scanning tools

License compliance checking Automatic pedigree generation

License compatibility checking Integrated into DE

C. Customer indemnification

Maintenance contracts Usage guidelines

Limited indemnification

Infringing code replacement Partial customer support

Full indemnification Full customer support

D. Clean code library

Local ad-hoc library Manual search

Central library exists Limited search for legacy code

Periodic updates Module/fragment search for legacy code

Automatic updates Full search and dependency analysis

E. Outsourcing practices

Internal, legal approval

Continuous scanning all incoming code

Periodic scanning at milestones by third party

License compliance reports Outsourcer assurance required


When is clean IP addressed?

Project timeline

BEFORE DURING AFTER

NEVER

Project planning

• Necessary, but not sufficient

Periodic monitoring

• Expensive

• Correction required

• Disruptive

Real-time monitoring

• Platform/IDE integration

• Customization required

External organization

• Very expensive

• After-the-fact correction

• Lengthy process

Internal organization

• Ad-hoc tools

• After-the-fact correction

• Lengthy process


How is clean IP addressed?

• Commercial

Manual Automated

Preventive

Corrective

• Internal processes

• Due diligence service companies

• Academic

• Commercial

• Education, ethics

• Use only known code


License compliance tools

• Commercial products:

Clean IP level

1 2 3 4

License compliance

tools

Manual string searches In-house tools

Bill of materials generation Automated scanning scripts, tools

License compliance checking Automatic pedigree generation

License compatibility checking Integrated into DE


Criteria for tool choice

• Effectiveness

• Ease of use

• Cost

• Integration

• Legacy code analysis

• Transparency

• Learning and training

• Interpretation


Business implications

• Clean IP methods impact product development as well as management, hiring/training, and quality processes

• It is impossible for a company to grant warranties or indemnification to customers if its software product cannot guarantee clean IP

• Delivering unclean IP reduces ability to create partnerships

• Under copyright law, the licensor of code can also sue “downstream licensees” for infringement– Think about Cisco case


Business implications

• In any merger and acquisition or funding deal, uncertainty over clean IP– Generates risk and threatens successful closure

– Increases product time to market

– Affects software IP valuation and overall business valuation

• Remediation is time-consuming and expensive

• IP infringement litigation can drag on for years and drain company resources– Think about Cisco case (again)


Functional opportunities

• Build clean IP services on a collaborative platform that provides real-time access to code– Improve efficiency of code scanning and approval process

– Produce real-time compliance reports for appropriate teams

– Reduce cost and risk by addressing clean IP issues earlier in product development


Functional opportunities

• Implement clean IP as a distributed service as opposed to having a “single door checklist” every time a supplier contributes IP– Can be applied to supply chain, parallel to quality assurance methods

– Reduces time and resources spent by integrator to ensure clean IP

• Automate identification of code usage and interaction– Separate modules, static/dynamic linking, embedded components

• “Reverse” IP identification: who is using my IP?


Partnership opportunities

• Real-time IP management and software collaboration platforms

• Software IP auditing services and legal firms

• IP policy management and universities

• Software quality organizations and open source licensing authorities


Conclusions

• Software development practices are evolving and new concerns arise in various industries

• Define an IP policy based on organization’s goals and choose solutions that help implement it

• Methods to ensure clean IP are improving to reflect more business drivers– Preventive versus corrective solutions

• Let opportunity be your motivation, take a proactive approach to clean IP


Questions

Kamal HassinTechnical marketing specialist

Protecode [email protected]

www.protecode.com

understanding open source licensing to deliver “clean” software kamal hassin fosslc summercamp...

Documents

increasingfosslc summercamp

ciscolinksysfosslc summercamp

solutionfosslc summercamp

right fitfosslc summercamp

license compliance solutions

license fundamentalsclosed

organizations ip policy

license interpretationlow