• Save
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Upcoming SlideShare
Loading in...5
×
 

Open Source License Compliance in the Cloud (CELESQ) (October 2012)

on

  • 309 views

Presentation through the CELESQ-West legal webinar series. Covering issues relating to open source software usage in cloud computing.

Presentation through the CELESQ-West legal webinar series. Covering issues relating to open source software usage in cloud computing.

Statistics

Views

Total Views
309
Views on SlideShare
309
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Open Source License Compliance in the Cloud (CELESQ) (October 2012) Open Source License Compliance in the Cloud (CELESQ) (October 2012) Presentation Transcript

  • Copyright 2012 Bryan CaveOctober 24, 2012Jason D. Haislmaierjason.haislmaier@bryancave.com@haislmaierOpen Source Software License ComplianceOpen Source Software License Compliancein Cloud Computingin Cloud Computing
  • Copyright 2012 Bryan CaveOpen Source SoftwareThis presentation is intended for general informational purposes only and should notbe construed as legal advice or legal opinion on any specific facts or circumstances,nor is it intended to address specific legal compliance issues that may arise inparticular circumstances. Please consult counsel concerning your own situation andany specific legal questions you may have.The thoughts and opinions expressed in this presentation are those of the individualpresenters and do not necessarily reflect the official or unofficial thoughts or opinionsof their employers.For further information regarding this presentation, please contact the presenter(s)listed in the presentation.Unless otherwise noted, all original content in this presentation is licensed under theCreative Commons Creative Commons Attribution-Share Alike 3.0 United StatesLicense available at: http://creativecommons.org/licenses/by-sa/3.0/us.Disclaimer and Rights
  • Copyright 2012 Bryan CaveWho’s using open source?Who’s using cloud computing?
  • Copyright 2012 Bryan CaveWho’s using open source?Who’s using cloud computing?in cloud computing?
  • Copyright 2012 Bryan CaveWho’s using open source?Who’s using cloud computing?notin cloud computing?Not just use but reliance
  • Copyright 2012 Bryan CaveWhat is it?CloudMany definitions, key characteristics
  • Copyright 2012 Bryan CaveWhy“Cloud?”CloudCloudWhat is Cloud Computing?
  • Copyright 2012 Bryan CaveCloudWhat is Cloud Computing?
  • Copyright 2012 Bryan CaveSteve BallmerCEO,Speaking at a Microsoftevent in Singapore“Im not sure my goal for today is going to be toactually explain it to you, but I do want to makesure that people understand that I think everybodyin our industry accepts its the next majortransition point in terms of how IT gets done.”What is Cloud Computing?
  • Copyright 2012 Bryan CaveWhat is Cloud Computing?
  • Copyright 2012 Bryan CaveNIST Definition• Initial NIST draft definition – April 2009• Final NIST definition – September 2011What is Cloud Computing?Cloud computing is a model for enabling ubiquitous,convenient, on-demand network access to a shared pool ofconfigurable computing resources (e.g., networks, servers,storage, applications, and services) that can be rapidlyprovisioned and released with minimal management effort orservice provider interaction. This cloud model is composed offive essential characteristics, three service models, and fourdeployment models.
  • Copyright 2012 Bryan CaveNIST Definition• Initial NIST draft definition – April 2009• Final NIST definition – September 2011What is Cloud Computing?Cloud computing is a model for enabling ubiquitous,convenient, on-demand network access to a shared pool ofconfigurable computing resources (e.g., networks, servers,storage, applications, and services) that can be rapidlyprovisioned and released with minimal management effort orservice provider interaction. This cloud model is composed offive essential characteristics, three service models, and fourdeployment models.
  • Copyright 2012 Bryan CaveNIST Definition - Essential Characteristics• On-demand/self-service• Broad network access• Standard access mechanisms– Thin client (e.g., browser) or thick client (e.g., program interface)– Multiple devices (e.g., mobile phones, tablets, laptops, workstations)• Resource pooling (multi-tenant model) and location independence• Rapid elasticity in provisioning and release• Measured service (resource usage is monitored, controlled,and reported)What is Cloud Computing?
  • Copyright 2012 Bryan CaveNIST Definition - Service Models• Software as a Service (SaaS)– Standard applications running on a cloud infrastructure– Accessible through various devices– Consumer does not manage or control the underlying cloud infrastructure• Platform as a Service (PaaS)– Consumer-created or acquired applications deployed on a cloud infrastructure– Accessible through various devices– Consumer does not manage or control the underlying cloud infrastructure• Infrastructure as a Service (IaaS)– Consumer-created or acquired software deployed on consumer-provisionedcloud computing resources (e.g., processing, storage, networks, etc.)– Accessible through various devices– Consumer does not manage or control the underlying cloud infrastructure– But does control operating systems, storage, and deployed softwareWhat is Cloud Computing?
  • Copyright 2012 Bryan CaveNIST Definition - Deployment Models• Private cloud– Provisioned for exclusive use by a single organization– May include multiple consumers (e.g., business units) within that organization– Owned, managed, and operated by the organization or by a third party• Community cloud– Provisioned for exclusive use by multiple organizations having shared concerns(e.g., mission, security, policy, privacy, or compliance)– Owned, managed, and operated by the organizations or by a third party• Public cloud– Provisioned for use by the general public– Owned, managed, and operated by the organization providing the service• Hybrid cloud– Two or more distinct cloud infrastructures (private, community, or public)– Interfaced to enable data and application portabilityWhat is Cloud Computing?
  • Copyright 2012 Bryan Cave“network access”What is Cloud Computing?
  • Copyright 2012 Bryan Cave“client”“provider”“vendor”What is Cloud Computing?
  • Copyright 2012 Bryan Cave“thin client”“thick client”What is Cloud Computing?
  • Copyright 2012 Bryan Cave“location independence”“on or off premises”What is Cloud Computing?
  • Copyright 2012 Bryan CaveDistribution of “software”Distribution of “functionality”What is Cloud Computing?
  • Copyright 2012 Bryan CaveTransparency and Understanding
  • Copyright 2012 Bryan CaveKnow your “Cloud”
  • Copyright 2012 Bryan CaveCloudOpen Source in the Cloud
  • Copyright 2012 Bryan CaveCloudOpen Source in the Cloud
  • Copyright 2012 Bryan CaveCloudOpen Source in the Cloud
  • Copyright 2012 Bryan CaveCloudOpen Source in the Cloud
  • Copyright 2012 Bryan CaveOpen Source in the Cloud
  • Copyright 2012 Bryan CaveWhy does distribution matter?Open Source Licenses
  • Distribution occurs via:• Sub is sold to 3rd party• Software shared with “partner”during further development• Change in technical or businessmodel requires use by end users• Permissions granted by OSS licenses are dependent on theway in which the OSS is used• Be wary of changes in the use of OSS over its lifecycleIn-license ofOSS under GPL• Revisions made to OSS• Linked to or bundled withproprietary codeUse by whollyowned sub• Initial analysis is important• Equally important to refresh when use changesInternal UseChanging Use of OSSLegal Issues
  • Copyright 2012 Bryan CaveOpen source software islicensed softwareOpen Source LicensesOpen source licensesmake the software “open source”
  • Copyright 2012 Bryan CaveOpen source licenses aredependent on copyright lawsOpen source licenses arenot anti-copyrightOpen Source Licenses
  • Copyright 2012 Bryan Cave“Copyleft”All Rights ReversedCopyrightAll Rights ReservedOpen Source Licenses
  • Copyright 2012 Bryan Cave• Open source software licensing has arisen (at least in part) as aresponse to the advance of copyright law• In the US, this is the Copyright Act of 1976 (17 U.S.C. §§ 101 – 810)• Under the Copyright Act, a copyright attaches to “original works ofauthorship, fixed in a tangible medium of expression” (See § 102)• The Copyright Act allows only very narrow means for an author to“opt-out” of receiving a copyright on an otherwise copyrightable work• Computer software is generally viewed as being potentiallycopyrightable subject matterOpen Source Licenses Depend on CopyrightOpen Source Licenses
  • Copyright 2012 Bryan Cave• Open source licensing relies on the ability of a copyright owner tochoose how to enforce (or not enforce) the copyright in his or hersoftware• Each open source license is intended to act as a set of permissions(and restrictions) granted by a copyright owner under their copyright• Like most licenses (or contracts), open source licenses have limits• Unlike proprietary licenses, these limits generally allow for more“open” or “free” use of the software• The limits of each open source license comply with a documentcalled the “Open Source Definition”Open Source Licenses Depend on CopyrightOpen Source Licenses
  • Copyright 2012 Bryan Cave• The “Open Source Definition” (OSD) articulates the“distribution terms” with which licenses must complyto be considered “open source”– Availability of source code– Free redistribution– Availability of “derived works”– Integrity of the author’s source code– No discrimination against persons or groups– No discrimination against fields of endeavor– License must travel with the software– License not dependent on particular software distribution– License does not restrict other software– License technology neutral• Used by the Open Source Initiative (OSI) to approve licenses as“open source”The Open Source DefinitionOpen Source Licenses
  • Copyright 2012 Bryan CaveApproved Open Source Licenses• The OSI maintains a program to approve licenses as compliantwith the OSD• Nearly 70 different licenses approved as “open source” by the OSI– All implement the OSD, each with its own specific terms– One definition, many different types of licenses• Many more unapproved “open source” licenses exist– Never formally approved by the OSI, but comply with the OSD– Still refer to themselves (and referred to by others) as “open source”• Many other licenses are referred to as “open source” but are anything but– Perhaps based in some part on the OSD or on an OSI-approved license– No guarantee of compliance with the OSDOpen Source Licenses
  • Copyright 2012 Bryan CaveJust how differentare open source licenses?Open Source Licenses
  • Copyright 2012 Bryan CaveCopyleftAcademicVeryPermissive• Berkley SoftwareDistribution License(BSD)• MIT License• W3CLessPermissive• Apache SoftwareLicense• Eclipse Public License• Artistic LicenseLessRestrictive• Mozilla Public License(MPL)• CommonDevelopment andDistribution License(CDDL)• Common PublicLicense (CPL)• IBM Public LicenseMoreRestrictive• GNU GPL v2• GNU GPL v3• GNU LGPL v2.1• GNU LGPL v3• Affero GPL v3Many Varied ConsequencesOpen Source Licenses
  • Copyright 2012 Bryan CaveExample: BSD License• Triggered by “Redistribution" and use”• Express conditions apply to “redistributions”• Does it matter given the permissive nature of the BSD?Open Source Licenses
  • Copyright 2012 Bryan CaveExample: Apache License (v2.0)• Permits the ability to “freely download and use”the covered software• Express conditions are triggered uponredistributionOpen Source Licenses
  • Copyright 2012 Bryan CaveExample: Mozilla Public License (v1.1)• Does not apply to “private modification and distribution”• “Private” includes “inside a company or organization”• Does not clarify what counts as “inside”Open Source Licenses
  • Copyright 2012 Bryan CaveOpen Source LicensesExample: Mozilla Public License (v2.0)• Does not apply to “private modification and distribution”• “Private” includes “inside a company or organization”• Does not clarify what counts as “inside”
  • Copyright 2012 Bryan CaveExample: GPLv2• Triggered by distribution• Merely running the program for internal use is not restrictedOpen Source Licenses
  • Copyright 2012 Bryan CaveIncreasingly, it’s notjust about “distribution”Open Source Licenses
  • Copyright 2012 Bryan CaveExample: GPLv3• Not triggered directly by a “distribution” but by a “conveyance”• Conveyances expressly exclude– Executing on a computer or making a “private” copy– Use over a networkOpen Source Licenses
  • Copyright 2012 Bryan Cave“So doesn’t this mean that the GPLis the new BSD license. . . and thatGoogle is the new Microsoft ?”Bradley KuhnFormer executive director of the FSFOpen Source Licenses
  • Copyright 2012 Bryan CaveExample: AGPLv3• Expressly covers use over a network• Treats use over a network as a conveyance is treated under GPLv3(or as a distribution is treated under GPLv2)Open Source Licenses
  • Copyright 2012 Bryan CaveWhat constitutes a“distribution” of software?Open Source Licenses
  • Copyright 2012 Bryan Cave• In the U.S., the Copyright Act provides copyright owners withfive exclusive rights (See §106)– Reproduce– Distribute– Display (publicly)– Perform (publicly)– Prepare derivative works• “Distribution” itself is not defined by the Act• But the Act does provide some guidance• The right of “distribution” is framed by additional language in §106– Distribution of copies (or phonorecords)– To the public– By transfer (sale, rental, lease, or lending)Distribution Under Copyright LawOpen Source Licenses
  • Copyright 2012 Bryan Cave• A “publication” is defined in §101 of the Act• Requires the exchange of an actual physical copy• The Act links the two terms– States that offering to distribute copies to others “for purposes of furtherdistribution” constitutes a publication (§101)– Contrasts publication from a public performance or display• Courts have also likened the right of distribution to a publication(See, e.g., Harper & Row v. Nations Enterprises, 471 U.S. 539 (1985))• History of the Act also supports a connection between the two terms(prior versions of U.S. copyright law prior to the Copyright Act of 1976)• Attempts to extend the definition of “distribution” to include “makingavailable” (without the exchange of an actual physical copy) have met withresistance from the courts• This can be very country specificDistribution Under Copyright LawOpen Source Licenses
  • Copyright 2012 Bryan Cave“I know it when I see it”Open Source LicensesJustice Potter StewartJacobellis v. Ohio, 378 U.S. 184, 197 (1964)(Concurring)
  • Copyright 2012 Bryan CaveDistribution Under Copyright LawOpen Source LicensesInternal useby employeesTraditionalsoftware licensesD iD i s ts t r ir i b ub u t it i o no nInternal subcontractorsOutside consultantsSubsidiariesPartially-owned AffiliatesOutsourcersWeb hosting providersCo-location providersLeases and loansDemosJoint Venture “Partners”MergersAcquisitions
  • Copyright 2012 Bryan CaveWhat are the consequencesof a distribution?Open Source Licenses
  • Copyright 2012 Bryan Cave• GPLv2 covers the program licensed under GPLv2 and“works based on the program”• Requires works in whole or in part “derived from the Program” to belicensed under the terms of the GPLExample: GPLv2Open Source Licenses
  • Copyright 2012 Bryan Cave• Refers to a “derivative work” under applicable copyright law as a guide• Also provides its own interpretation of what would be included as a“work based on the program”Example: GPLv2Open Source Licenses
  • Copyright 2012 Bryan CaveMany (many, many)questions of interpretationOpen Source Licenses
  • Copyright 2012 Bryan Cave• GPLv2 sets multiple boundaries– Triggered by a “distribution”– Allows modification to form a “work based on the Program”– Requires a work that “in whole or in part contains or is derived from theProgram” to be subject to the GPL• Does not fully define these terms• Refers to applicable copyright law for aid in providing definitions• Copyright law is also not well-defined as it relates to these terms(particularly in the context of software)Example: GPLv2Open Source Licenses
  • Copyright 2012 Bryan Cave• Multiple interpretations and understandings have emerged– Free Software Foundation and other open source groups– Open source legal community– Very limited court decisions regarding open source– Court decisions in other areas of copyright law• Relatively little dispute at either end of the spectrum• Uncertainty exists in the many variations in-between• Cloud implementations add additional variations• Even “accepted” interpretations are highly fact-dependentExample: GPLv2Open Source Licenses
  • Copyright 2012 Bryan Cave• Copyright law gives the copyright owner power to enforce their copyright• Issuing licenses is part of this power• The copyright owner decides– Whether to apply GPLv2 to their software– How to interpret GPLv2 as applied to their software– When and how to enforce GPLv2• Court decisions apply (if they are available)• Accepted interpretations and practices can carry weight• Where the law is unclear and multiple reasonable interpretations exist, thecopyright owner has the power to decide which interpretation to adoptExample: GPLv2Open Source Licenses
  • Copyright 2012 Bryan CaveWhat happens when a difference ininterpretation occurs?Open Source Licenses
  • Copyright 2012 Bryan Cave• Legally, open source is (still) all about the licenses• Cloud computing puts the focus on different issues than traditional softwaredelivery models• Distribution is an important issue, but is not the only concern• Other traditional open source legal issues are still (very) relevant• Interpretation of these issues requires an understanding of the “cloud”• Focus on the core characteristics of the cloud• Understand how those characteristics affect the interpretation of opensource licenses• Premium (as always) on preemptive action• Increased risks (and hassles) for unprepared companies• Update existing open source compliance programs (before you arerequired to do so)TakeawaysOpen Source in the Cloud
  • Copyright 2012 Bryan CaveThank You.Jason HaislmaierEmail: jason.haislmaier@bryancave.comTwitter: @haislmaierLinkedIn: http://www.linkedin.com/in/haislmaier