understanding open source licensing to deliver “clean” software kamal hassin fosslc summercamp...
TRANSCRIPT
Understanding open source licensing to
deliver “clean” software
Kamal Hassin
FOSSLC Summercamp 2009May 14, 2009
May 14, 2009 FOSSLC Summercamp 2009 2
Agenda
• Background
• Open source licensing
• Best practices
• Clean IP
• Business implications
May 14, 2009 FOSSLC Summercamp 2009 3
“Mixed-IP” environment
• Code re-use makes sense
• Access to code is fast and easy
• Developers carry code with them
• Distributed development and outsourcing is common
• Collaboration and plagiarism is increasing
May 14, 2009 FOSSLC Summercamp 2009 4
Open source policies
“Which of the following best describes your firm’s formal policy towards OSS?”
Source: Jeffrey Hammond, Principal Analyst, Forrester ResearchInfoWorld OSBC, March 2009http://www.eclipse.org/org/foundation/membersminutes/20090326StrategySummit/OSS-WYPAUT3_JeffreyH.pdf
May 14, 2009 FOSSLC Summercamp 2009 5
Who cares?
• Buyers and sellers of software
• Software company executives
• Software development managers
• Technology transfer officers
• Lawyers
May 14, 2009 FOSSLC Summercamp 2009 6
License fundamentals
• Closed versus open
• Purpose of open source licenses– Protect IP rights of authors and owners– Make source code available (according to conditions)– Outline obligations and restrictions
• 65 OSI-approved licenses (May 2009)– Ensure credibility and user confidence
• Finding the right fit
May 14, 2009 FOSSLC Summercamp 2009 7
Licensing spectrum
Attribution Distribution
LGPL 2.1
GPL 2.0BSD
MIT Apache
CPL Eclipse Mozilla
IBM
Public domain
May 14, 2009 FOSSLC Summercamp 2009 8
Code usage and interaction
License spectrum:
BSD LGPL GPL
Adapted from Black Duck Software (2007)
Separate work
Dynamic library Module File or
fragmentSeparate
workDynamic
libraryModule File or
fragmentSeparate
workDynamic
library Module File or fragment
Code integration:
Separate Integrated
May 14, 2009 FOSSLC Summercamp 2009 9
License interpretation
• “Low risk” can still equal high cost– Veritas v. Microsoft
• Language is complex, evolving, and open to interpretation– Jacobsen v. Katzer
• Embedded systems can be surprising– Free Software Foundation v. Cisco/Linksys
May 14, 2009 FOSSLC Summercamp 2009 10
License infringement
• Enforced injunction depends on legal processes, but the gap is closing
• Some customers are demanding indemnification from software companies
• Any company that is a defendant in third party IP litigation ends up with losses
• “Sticking your head in the sand” is not a solution
May 14, 2009 FOSSLC Summercamp 2009 11
License enforcement
• Incipient case law, reliance on industry and adoption practices
• Organized GPL enforcement– Gpl-violations.org– Free Software Foundation– Software Freedom Law Center
• How do we use this stuff legally?
• What is my organization’s IP policy?
May 14, 2009 FOSSLC Summercamp 2009 12
License compliance best practices
• Define an IP policy based on organization’s goals and choose solutions that help implement it
• Consider preventive versus corrective solutions
• Improve due diligence processes– Education– Explicit checks and manual examination– Automated tools
May 14, 2009 FOSSLC Summercamp 2009 13
License compliance best practices
• Continuously track code pedigree and licenses for all external contributions– What is its origin?– Who wrote it?– How will I use it?– Does it comply with my IP policy?
• Integrate license compliance solutions into existing development processes with minimal disruption
May 14, 2009 FOSSLC Summercamp 2009 14
Clean IPClean IP variable
Clean IP level1 2 3 4
A. Preventive measures
Policies exist Policies enforced Some education
Company-wide policies Periodic monitoring
Project-oriented policies Full education Real-time monitoring
B. License compliance tools
Manual string searches In-house tools
Bill of materials generation Automated scanning tools
License compliance checking Automatic pedigree generation
License compatibility checking Integrated into DE
C. Customer indemnification
Maintenance contracts Usage guidelines
Limited indemnification
Infringing code replacement Partial customer support
Full indemnification Full customer support
D. Clean code library
Local ad-hoc library Manual search
Central library exists Limited search for legacy code
Periodic updates Module/fragment search for legacy code
Automatic updates Full search and dependency analysis
E. Outsourcing practices
Internal, legal approval
Continuous scanning all incoming code
Periodic scanning at milestones by third party
License compliance reports Outsourcer assurance required
May 14, 2009 FOSSLC Summercamp 2009 15
When is clean IP addressed?
Project timeline
BEFORE DURING AFTER
NEVER
Project planning
• Necessary, but not sufficient
Periodic monitoring
• Expensive
• Correction required
• Disruptive
Real-time monitoring
• Platform/IDE integration
• Customization required
External organization
• Very expensive
• After-the-fact correction
• Lengthy process
Internal organization
• Ad-hoc tools
• After-the-fact correction
• Lengthy process
May 14, 2009 FOSSLC Summercamp 2009 16
How is clean IP addressed?
• Commercial
Manual Automated
Preventive
Corrective
• Internal processes
• Due diligence service companies
• Academic
• Commercial
• Education, ethics
• Use only known code
May 14, 2009 FOSSLC Summercamp 2009 17
License compliance tools
• Commercial products:
Clean IP level
1 2 3 4
License compliance
tools
Manual string searches In-house tools
Bill of materials generation Automated scanning scripts, tools
License compliance checking Automatic pedigree generation
License compatibility checking Integrated into DE
May 14, 2009 FOSSLC Summercamp 2009 18
Criteria for tool choice
• Effectiveness
• Ease of use
• Cost
• Integration
• Legacy code analysis
• Transparency
• Learning and training
• Interpretation
May 14, 2009 FOSSLC Summercamp 2009 19
Business implications
• Clean IP methods impact product development as well as management, hiring/training, and quality processes
• It is impossible for a company to grant warranties or indemnification to customers if its software product cannot guarantee clean IP
• Delivering unclean IP reduces ability to create partnerships
• Under copyright law, the licensor of code can also sue “downstream licensees” for infringement– Think about Cisco case
May 14, 2009 FOSSLC Summercamp 2009 20
Business implications
• In any merger and acquisition or funding deal, uncertainty over clean IP– Generates risk and threatens successful closure
– Increases product time to market
– Affects software IP valuation and overall business valuation
• Remediation is time-consuming and expensive
• IP infringement litigation can drag on for years and drain company resources– Think about Cisco case (again)
May 14, 2009 FOSSLC Summercamp 2009 21
Functional opportunities
• Build clean IP services on a collaborative platform that provides real-time access to code– Improve efficiency of code scanning and approval process
– Produce real-time compliance reports for appropriate teams
– Reduce cost and risk by addressing clean IP issues earlier in product development
May 14, 2009 FOSSLC Summercamp 2009 22
Functional opportunities
• Implement clean IP as a distributed service as opposed to having a “single door checklist” every time a supplier contributes IP– Can be applied to supply chain, parallel to quality assurance methods
– Reduces time and resources spent by integrator to ensure clean IP
• Automate identification of code usage and interaction– Separate modules, static/dynamic linking, embedded components
• “Reverse” IP identification: who is using my IP?
May 14, 2009 FOSSLC Summercamp 2009 23
Partnership opportunities
• Real-time IP management and software collaboration platforms
• Software IP auditing services and legal firms
• IP policy management and universities
• Software quality organizations and open source licensing authorities
May 14, 2009 FOSSLC Summercamp 2009 24
Conclusions
• Software development practices are evolving and new concerns arise in various industries
• Define an IP policy based on organization’s goals and choose solutions that help implement it
• Methods to ensure clean IP are improving to reflect more business drivers– Preventive versus corrective solutions
• Let opportunity be your motivation, take a proactive approach to clean IP
May 14, 2009 FOSSLC Summercamp 2009 25
Questions
Kamal HassinTechnical marketing specialist
Protecode [email protected]
www.protecode.com