where’s the license?

1Protecode Inc. 2014

Where’s the License?!?

June 18th 2014

Protecode Inc. 2014 2

Agenda

Why Licensing Matters

What defines Free and Open Source Software

Where to look

What to do with licenses found

Tools and Resources

Q & A

Normand Glaude,COO, Protecode

[email protected]

Disclaimer: I am not a lawyer. The material presented in this webinar in for informational purposes only and not for the purpose of providing legal advice.


Open Source Software

The good: enables rapid software development– Easy access to code, hundreds of thousands of projects – Faster, more functional– Enables new business models

The challenge: Uncertain ownership structure– Intellectual property - copyright, license– Requires due diligence


Why Licensing Matters

Copyright Laws are (mostly) Universal– Governed by the WTO, 168 states parties to the

Berne Convention• Copyright is automatic, whether registered or not

Open Source Licenses– Copyright owner’s way of giving right to use– Most open source licenses have obligations – May or may not suit your business model


FOSS, as in Free Software?

Free Software, according to the Free Software Foundation:“Free software” means software that respects users' freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”.

Source: http://www.gnu.org/philosophy/free-sw.html

“… Open Source misses the point of Free Software.”Source: http://www.gnu.org/philosophy/open-source-misses-the-point.html


FOSS, as in Open Source Software?

The Open Source Definition, according to the Open Source Initiative:

1. Free Redistribution

2. Source Code

3. Derived Works

4. Integrity of The Author's Source Code

5. No Discrimination Against Persons or Groups

6. No Discrimination Against Fields of Endeavor

7. Distribution of License

8. License Must Not Be Specific to a Product

9. License Must Not Restrict Other Software

10. License Must Be Technology-Neutral

Source: http://www.gnu.org/philosophy/open-source-misses-the-point.html


Where to find licensing information

Everywhere!– Any and every file in the package

• Source code, header files, license files, readme, archives…

– Even outside the package• Website, forums

Information to consider– Full License Text– References to licenses– Documentation that clarifies licensing– Location where references/text was found– Documentation external to package


File License

Reference to license information– Typically found in the header section of the file– Generally applies to the whole file (sometimes to code snippet)– Impractical to include complete license text


License and Copyright Use

Source: Protecode GIPSTM Database


Full License Text

Required by all licenses– Web sites and links change over time– A package is transferred as a unit == does not change

Contains– Permissions, conditions, obligations, disclaimers, exceptions,

etc.

Location Matters!– Where did you find the license file?

• At the root of the package?• In a sub-folder?• In a documentation folder?

– What is the scope of the license?


Full Text License Example


License Notices

Documentation about licenses– Often found at or near the root of a package– Contain statements and clarification about licenses

• Are they it conjunctive (AND) or disjunctive (OR)• Are 3rd party components included or packaged separately

– Understand structure of package

Often depends on hosting forge and language– Examples:

• Github license.md, readme.md• Ruby packaged as Gem files with embedded license tags

Internal and External References


License Notice Example


Project Types

Simple– Homogenous licensing– Original content, no 3rd party included in packagesExample: Apache HTTPClient

Composite– Mixed or homogenous licensing– Some original content, some 3rd partyExample: Vaadin

Distributions– Mostly mixed licensing– Mostly repackaged 3rd party– Generally well structured, many packagesExample: 4MLinux


So, which license applies?

Dual and multi-licensing– Pick one

Relicensing vs. sublicensing– Pick

Compatibility of licenses– Incompatibilities mostly with copyleft licenses– GPL incompatibilities well documented

Files with no copyright– Who’s creation?

Ask for clarification!


Tooling

Free Tools– Perform a superficial scan of the source code

• Fossology (http://www.fossology.org)

• SPDX (http://spdx.org)

• Windriver (http://spdx.windriver.com)

• Ninka (http://ninka.turingmachine.org)

Commercial tools– Perform a deep scan of the source code,

archives and binaries• Use a reference database• Identify full file content AND code snippet• Find project information,

– source repositories, security vulnerabilities, etc.

– Perform local scan of the source code• Identify attributes of proprietary software, not found in reference DB


Automated Software Scanning

Automated Scan (Protecode Enterprise AnalyzerTM)• Target files: source code, binaries, archives• Information files

– README, COPYING, LICENCE.txt, etc.• Two-step scan:

1. Local scrubbing of software files2. Similarity with public-domain OSS

• Fast: ~ 4k files (100 – 200 Mbytes)/hour

Raw machine output• OSS projects, packages, versions,

licenses, copyrights, vulnerabilities,encryption content, etc.

• Modified/unmodified software• Proprietary, unknowns, conflicting licenses, etc.


Typical Licensing Issues Uncovered in Open Source OSS content with ambiguous / no license terms

– Software with copyrights but no licenses– Software with authors but no copyrights / licenses– Software with no pedigree information– Software with conflicting license information– Public domain software with proprietary licenses

Licenses business model mismatch– i.e. modified restrictive/copyleft licensed content in

closed source commercial software– Cloud deployments and newer license models– Warranties and support models– Attribution obligation


Open Source License Resources

Software Freedom and Intellectual Property Law

by Lawrence Rosen

• http://www.rosenlaw.com/oslbook.htm

Open Source Initiative

• http://opensource.org/licenses

Free Software Foundation

• https://www.fsf.org/

SPDX: Software Package Data Exchange®

• http://spdx.org

Fossology

• http://www.fossology.org/

Contact Us:

[email protected]://protecode.com

Please type your questions into the chat box to the right.


[email protected]

where’s the license?

Software

open source software

free software foundation

point of free software

package source code

open source definition

license information

open source initiative

license files