• Share
  • Email
  • Embed
  • Like
  • Private Content
Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues
 

Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues

on

  • 1,897 views

Slides presented by Peter Vescuso, Black Duck Software's EVP of Marketing & Business Development, at the Linux Foundation's Android Builder’s Summit. ...

Slides presented by Peter Vescuso, Black Duck Software's EVP of Marketing & Business Development, at the Linux Foundation's Android Builder’s Summit.

As Android devices grow in popularity and the market expands, developers are eager to tap into its potential, but must be able to manage what is a relatively complex code base and be able to react quickly to rapidly changing feature sets. They also must do so in a way that complies with license obligations, or put themselves and their innovations at risk. While Android is well documented, easily accessible and being rapidly adopted, there are some misperceptions regarding its complexity and licensing. With 165 sub components, Android is fairly complex. Depending on how its many components are integrated and licensed with a device manufacturers own code is not trivial and may create risk and exposure. The Android has declared its license as Apache 2.0, but much of Android uses non-Apache licensed code licensed with the GPL, LGPL and many other licenses, including licenses not approved by the OSI. Attendees will learn about the composition of Android, its structure and components, and the many open source licenses it uses, and the issues a typical device manufacturer needs to address. Finally we will present best practices for managing the complexity of Android, especially as a participant in the mobile supply chain, and ensure compliance with its many licenses.

Statistics

Views

Total Views
1,897
Views on SlideShare
1,840
Embed Views
57

Actions

Likes
2
Downloads
34
Comments
0

2 Embeds 57

http://www.techgig.com 42
http://paper.li 15

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues Presentation Transcript

    • Managing Android and theComplexity Inside:Understanding the Open Source Licenseand Compliance IssuesPeter VescusoBlack Duck Software
    • Agenda OSS in Mobile Trends Application Developers – Basics of OSS licenses – License considerations – Resources Device Manufacturers – Issues/Complexity/Supply chain – What’ Inside Gingerbread – Best Practices Summary Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 2
    • Open Source Drives Mobile Innovation New Mobile OSS Projects4000  Over 3,800 new OSS3000 projects in 2010,2000 doubling each of the last 3 years1000 0 2005 2006 2007 2008 2009 2010  94% of new projects that specify a platform New 2010 FOSS Projects by are targeting Android Platform and Apple/iOS Windows Apple iOS 2%  Open source has redefined the mobile 39% Blackberry 2% Palm/Web OS 1% industry and is spreading Android Symbian 1% far beyond 55% Meego/Maemo 0% Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Android is a Huge Market Opportunity5045  Gartner: Android to become40 #2 Worldwide Mobile35 Symbian Operating System in 2010,30 Android #1 Position by 201425 RIM20 Apple iOS15 Windows10 Other  Android is powering more5 than smartphones….0 2009 1 2010 2 2011 3 2014 4Forecast: Mobile Communications Device Open OS Sales to End Users by OS (Market Share) OS 2009 2010 2011 2014Symbian 46.9 40.1 34.2 30.2Android 3.9 17.7 22.2 29.6RIM 19.9 17.5 15 11.7Apple iOS 14.4 15.4 17.1 14.9Windows 8.7 4.7 5.2 3.9Other 6.1 4.7 6.3 9.6Total 100 100 100 100 Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.Source: Gartner (August 2010)
    • Android Devices: Phones, Tablets, eReaders,Autos, more….. Barnes & Noble Nook Lenovo LePadAutomobile: Android powered SaaB Droid by Motorola Samsung Galaxy Dell Streak HP Touchpad HTC Evo Shift Motorola Xoom Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 5
    • Android Compliance is a Growing Concern “The vast majority of Android tablets Ive been able to find are shipping without any source being made available, and that includes devices from well-known vendors. “ Matthew Garrett, Red Hat, Linux Kernel DeveloperSource: //www.codon.org.uk/~mjg59/android_tablets/ Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Agenda OSS in Mobile Trends Application Developers – Basics of OSS licenses – License considerations – Resources Device Manufacturers – Issues/Complexity/Supply chain – What’ Inside Gingerbread – Best Practices Summary Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 7
    • Types of Open Source Licenses:Reciprocal vs. Permissive Reciprocal (aka Copyleft). – Requires licensee to make improvements or Most Popular Mobile OSS Licenses enhancements available under similar terms. 1 GPL – Example is the GPL: Licensee must distribute 2 LGPL “work based on the program” and cause such 3 MIT works to be licensed at no charge under the 4 Apache terms of the GPL. 5 BSD 6 Microsoft 7 Artistic 8 Eclipse 9 Common Public lIcense Permissive. 10 Mozilla – Modifications/enhancements may remain proprietary. – Distribution in source code or object code permitted provided copyright notice & liability disclaimer are included and contributors’ names are not used to endorse products. – Examples: BSD, Apache Software License. Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • The OSS License Continuum MIT GPL LGPL MPL Apache BSDStronger Weaker PermissiveCopyleft Copyleft licensesRestrictive Permissive Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Potential License Conflicts  Proprietary licenses. – Pay a fee – Most don’t provide source  Many OSS licenses allow restrictions on end users (Apache 2), but GPL does not  Some OSS licenses contain patent termination clauses  GPLv3 resolved incompatibilities with Apache. Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • App Stores and FOSS Licenses GPL licensed app’s can not be distributed through the Apple iTunes Store (or any store that imposes restrictions) – Apple ToS (terms of service) require that all software be licensed for use on a single device only – “Copylefted software can’t be un-freely relicensed, so it can’t be transacted for under Apple’s current ToS” Eben Moglen, SFLC – Just like GPLv2, GPLv3 prohibits distributors from placing additional restrictions on the software through legal documents or similar means” Brett Smith, Free Software Foundation Android stores – “So far as we know…the Google Android market… do not place any limitation on how a market participant’s application is licensed that would inhibit distributing Android applications in the market under copyleft licensing.” Eben Moglen, SFLC Permissive licenses (e.g., Apache, MIT, BSD) appear to be compatible with app store ToS Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Resources Webinar-based education: – //www.blackducksoftware.com/webinars/legal/ – Introduction to Open Source Licenses – Understanding the Top 10 Open Source Licenses – Unraveling the Complexities of the GPL Black Duck Android white paper & webinar – //www.blackducksoftware.com/android – //www.blackducksoftware.com/webinars/legal/android.html Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Agenda OSS in Mobile Trends Application Developers – Basics of OSS licenses – License considerations – Resources Device Manufacturers – Issues/Complexity/Supply chain – What’ Inside Gingerbread – Best Practices Summary Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 13
    • Issues for Device Manufacturers How to control and manage building software on a rapidly changing open-source operating system with development forks, governed by multiple licenses against an aggressive release cycle?Typical concerns about Android: Uses the GPLv2 licensed Linux kernel Grown to a collection of ~165 different sub-components Written under ~19 different open source licenses Includes licenses that are reciprocal, and not all OSI-approvedRapid change – averages a major release every 3 ¼ months Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Android & Vendor Innovation Developers Typical areas of vendor/developer innovation Source: Google - //source.android.com/ Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • What’s Inside Android?Android 2.3 (“Gingerbread”) 165 Projects – 83 are “External” – Does not include Kernel Mirror Total Size – Over 80,000 Files – Over 2GB total size – Does not include Kernel Mirror Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • A Look Inside Two Android Components:Bionic & WebkitLicense types in: Bionic License types in: WebkitBSD 2.0* BSD 2.0CMU License David M. Gay LicenseCryptix License GPL 2.0Free clause ICU LicenseFreeBSD LGPL 2.1*Historical free MIT License V2INRIA OSL MIT v2 with Ad Clause LicenseIntel OSL Mozilla Public License 1.1Internet Software Consortium PCRE LicenseMIT Public DomainPublic Domain SWIG LicensePython InfoSeek The wxWindows Library License zlib/libpng LicenseX.Net License *Declared license Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 17
    • Android 2.3: The Ingredients for “Gingerbread” Licenses – Declared license: Apache 2.0 – Components reference 19 different licenses – External components  Linux, Webkit use reciprocal licenses (GPLv2, LGPL) – Other components: more than 30 of them use reciprocal licenses (GPL, LGPL, CPL, etc.)  e.g. dbus, grub, emma, e2fsprogs, bluez, Bison – Non-OSI approved licenses are used, including OpenSSL and Bzip2 Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Managing FOSS in the Mobile Ecosystem and Software Supply Chain Out Source/ Your OS/Software Stack/Device Offshore Company Typical Smartphone has over 300 components Corporate-Owned IP XML Proprietary/Licensed IP Security FOSS Networking Outsourced development Email Multi-level supply chains Graphics Database Web Services Many more…19 Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Meeting Open Source License Obligations There is no "mobile device" or small appliance exception which alters obligations under open source licenses When there is an obligation to provide source code, the obligation is met only by providing the source code for the specific device that is owned by the person requesting the code The benefits of an open platform place the burdens of compliance on every vendor that ships the platform There is no “downstream defense for upstream” violations Managing complexity requires the establishment of consistent processes Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Legal and IP Issues Depend on Your Positionin the Ecosystem  Middleware, component developer – Integration of your code with FOSS has implications forI your IPn – How downstream customers use your code may impactt your IPe  Device manufacturergr – Responsible for the entire bundle of components from suppliersat – Device driver code– open source it or not?i  Application developeron – Integration of your code with FOSS has implications for your IP – Also impacts distribution options Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Software Package Data Exchange™ (SPDX™)  Working group of FOSSBazaar (governance best practices group under Linux Foundation)  Charter:  Create data exchange standards to enable license and component information sharing (metadata)  Participation from over 16 organizations including software, systems and tool vendors, consultants and foundations Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Best Practices for Managing Android Policy Process Technology  Adopt and enforce an open source and third-party code policy  Identify and track all external code that is used  Automate validation at the point of acquisition and development  Automate monitoring and tracking of Android components  Control the use of components and promote standardization  Use automation tools to produce complete Bills of Material and reports for supply chain partners Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Summary  Android is highly successful and is changing the mobile and device landscape  Like many FOSS projects, there is complexity inside  The legal and IP issues depend on your role in the mobile supply chain/ecosystem  Effective management and control requires training, tools, and processes Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Information Resources Mark Radcliffe’s blog on the Bionic library: “Android and the Kernel: It’s not that simple” – //lawandlifesiliconvalley.com/blog/?p=593 Black Duck Android white paper & webinar – //www.blackducksoftware.com/android – //www.blackducksoftware.com/webinars/legal/android.htmlEmail: pvescuso@blackducksoftware.com Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    • Thank YouPeter VescusoBlack Duck Softwarepvescuso@blackducksoftware.com