• Share
  • Email
  • Embed
  • Like
  • Private Content
Managing OSS license obligations
 

Managing OSS license obligations

on

  • 737 views

Heather Meeker and Michael Herzog discuss the primary open source license obligations and some practical approaches for compliance with attribution and redistribution obligations.

Heather Meeker and Michael Herzog discuss the primary open source license obligations and some practical approaches for compliance with attribution and redistribution obligations.

Statistics

Views

Total Views
737
Views on SlideShare
725
Embed Views
12

Actions

Likes
0
Downloads
11
Comments
0

1 Embed 12

http://www.linkedin.com 12

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Managing OSS license obligations Managing OSS license obligations Presentation Transcript

    • Managing  Open  Source  Obliga1ons
    • Managing  Open  Source  Obliga1onsAgenda  •  Introduc1on  •  Iden1fy  the  ten  most  common  open  source  license   obliga1ons  •  Explain  what  you  need  to  do  to  comply  with  these   obliga1ons  •  Discuss  the  key  compliance  challenges  today  •  Outline  an  approach  for  automa1ng  compliance  •  Describe  compliance  automa1on  case  studies  –   Android  and  DejaCode  •  Ques1ons  
    • Managing  Open  Source  Obliga1onsTen  Most  Common  OSS  License  Obliga1ons  •  Copyright  no1ces  •  License  no1ces  •  AFribu1on  requirements  •  “CopyleI”  obliga1ons  (licensing  of  deriva1ve  works)  •  Source  code  licensing  •  Source  code  delivery  •  Build  and  installa1on  instruc1on  delivery  (GPL)  •  No1ce  of  changes  •  Indemni1es  •  Non-­‐use  of  trademarks  
    • Managing  Open  Source  Obliga1onsHow  to  Comply  –  No1ces  •  Copyright,  license,  modifica1on,  and  aFribu1on   requirements  •  Delivery  of  source  code  may  be  the  easiest  way  to   comply,  because  no1ces  are  “baked  in”  to  distribu1on   package  •  Binary  delivery  requires  crea1on  of  no1ce  files  •  No1ces  must  be  in  the  product  delivery,  for  most   licenses  •  Online  delivery  is  usually  not  sufficient  •  Relying  on  third  party  no1ces  is  usually  not  sufficient  
    • Managing  Open  Source  Obliga1onsHow  to  Comply  –  Source  Code  •  For  GPL,  LGPL,  and  other  copyleI  licenses  •  Source  materials  must  be  made  available,  but  not   necessarily  delivered  with  product  •  Not  necessary  to  post  source  materials  on  the  web,  but   this  is  a  good  prac1ce  
    • Managing  Open  Source  Obliga1onsHow  to  Comply  -­‐  Licenses  •  Need  to  carve  copyleI  licensing  requirements  from   EULAs  •  GPL,  LGPL  and  other  licenses  cannot  be  changed  to   other  terms  •  “Weak  copyleI”  licenses  like  EPL,  MPL  allow  bifurcated   licensing  of  source  and  binaries  
    • Managing  Open  Source  Obliga1onsKey  Compliance  Challenges  •  Tracking  open  source  use  •  No1ce  crea1on  •  No1ce  delivery  •  Build  and  installa1on  instruc1on  delivery  •  Ensuring  the  source  code  is  right  for  the  build  
    • Managing  Open  Source  Obliga1onsCompliance  Automa1on  Star1ng  point  is  a  good  baseline  analysis  •  Origin  and  license  of  open  source  components  •  Which  open  source  components  are  Deployed  Then  you  need  prac1cal  ways  to:  •  Enable  and  encourage  the  engineering  team  to  keep   origin  and  license  data  current,  and  •  Use  that  data  to  create  compliance  deliverables,  and    •  Audit  a  new  release  efficiently,  and  •  Repeat  the  process  
    • Managing  Open  Source  Obliga1onsCompliance  is  easier  than  you  think  Establish  simple  policies  –    “Highest  common  requirement”  for:  •  AFribu1on  text  documenta1on  and  display  •  Source  code  Redistribu1on  •  Change  documenta1on  •  Non-­‐endorsement  /  trademarks    ALWAYS  keep  original  copyright  and  license  no1ces  with  the  codebase  (in  files  or  directories)  
    • Managing  Open  Source  Obliga1onsCompliance  is  easier  than  you  think  Add  a  simple  system  to  track  license  data  that:  •  Can  be  adapted  to  exis1ng  engineering  processes   –  Engineers  can  use  and  update  the  data  during   normal  soIware  development  ac1vi1es   –  Independent  of  programming  languages  or  tools  •  Can  produce  data  for:   –  Delivery  to  customers  as   •  AFribu1on  and  Redistribu1on  packages   •  SPDX  (SoIware  Package  Data  Exchange)  files   –  Import  into  enterprise  systems  
    • Managing  Open  Source  Obliga1onsSoIware  Package  Data  Exchange®  •  A  standard  format  for  communica1ng  the  components,   licenses  and  copyrights  associated  with  a  soIware   package  •  Allows  easy  exchange  of  license  informa1on  between   companies  reducing  burden  on  both  suppliers  and   consumers  •  A  Working  Group  of  the  Linux  Founda1on  •  Part  of  Linux  Founda1on’s  Open  Compliance  Program     www.spdx.org  
    • Managing  Open  Source  Obliga1onsComponent  Metadata  •  Add  one  text  file  per  soIware  component  at  the  level   necessary  to  document  the  origin,  license  and   obliga1ons  for  the  component  •  Typically  a  text  or  XML  file  with  “tag  /  value”  format,   such  as:   COMPONENT:  Myarchive   VERSION:  1.2.3   LICENSE_NAME:  MIT   LICENSE_TEXT:  (text  goes  here……)   ATTRIBUTION_TEXT:  (if  different  from  license  text)   LICENSE_FILE:  myarchive.LICENSE   SOURCE_REDISTRIBUTION:  yes/no   USAGE:  Internal  only  
    • Managing  Open  Source  Obliga1onsBasic  Automa1on  •  Use  script-­‐style  programs  to  read  Component   Metadata  file  and   •  Create  an  AFribu1on  text  file     •  Create  a  Redistribu1on  package  list    •  Edit  the  files  to  remove  components  that  are  not   Deployed  •  Add  the  AFribu1on  text  file  to  the  product   documenta1on  and(or)  product  GUI  (Help  /  About)   •  Assign  an  engineer  to  create  the  Redistribu1on   package  and  installa1on/build  instruc1ons  
    • Managing  Open  Source  Obliga1onsAdvanced  Automa1on    Enhance  the  build  system  and  tools  to:   •  Recognize  Component  Metadata  files   •  Assemble  Component  Metadata  files  during  a  build  for   components  included  in  an  end-­‐product  (Deployed)   •  Collect  AFribu1on  data  for  Deployed  components  and  create   AFribu1on  text  file   •  Insert  AFribu1on  text  into  GUI  (Help  /  About)   •  Collect  source  code  for  the  components  that  require   Redistribu1on  (including  dependencies)   •  Create  an  archive  file  of  the  Redistribu1on  package  
    • Managing  Open  Source  Obliga1ons AndroidTM  Case  Study   •  Android  project  applies  an  advanced  approach  to   automate  OSS  compliance   •  Several  types  of  metadata  files  added  to  the  project   codebase   •  Build  system  can  use  these  files  to  create  AFribu1on   text  and  Redistribu1on  packages  based  on  Deployed   components  The Android robot is reproduced or modified from work created and shared by Google and used according to terms describedin the Creative Commons 3.0 Attribution License.
    • Managing  Open  Source  Obliga1onsAndroid  Metadata  •  MODULE_LICENSE_xxx  marker  files     •  MODULE_LICENSE_APACHE2  means  the  directory  is  Apache   2.0-­‐licensed   •  Approx.  500  such  files  in  Android  4.1  –  Jelly  Bean  •  NOTICE  files   •  Co-­‐located  with  MODULE_LICENSE  marker  files   •  Contains  license  and  other  aFribu1on  text   •  Created  by  the  original  OSS  project  or  by  Android  team   •  Plus  keep  all  original  no1ces  
    • Managing  Open  Source  Obliga1onsAndroid  Tools  •  Tools  in  the  Android  build  system:   •  Create  aFribu1on  no1ces  from  and  display  them  in  the   Android  UI     •  Collect  source  code  and  create  archives  for  redistributable   source  code  •  AFribu1on  and  Redistribu1on  packages  are  based  on   the  actual  subset  of  code  Deployed  as  determined  by   the  build  system  
    • Managing  Open  Source  Obliga1onsAndroid  Compliance  Deliverables    •  AFribu1on  text  is  delivered  on  the  phone  or  tablet  as   an  HTML  file  located  at  Seongs  /  About…  /  Legal   Informa1on  /  Open  Source  License       –  (You  can  check  this  now)  •  You  can  see  examples  of  Android  compliance  packages   for  Motorola  Mobility  phones  and  tablets  •  Source  code  packages  are  provided  at:   –  hFp://sourceforge.net/motorola/wiki/Android/     –  (Metadata  files  are  inside  each  code  package)  
    • Managing  Open  Source  Obliga1onsDejaCodeTM    Case  Study  •  nexB  has  developed  a  basic  specifica1on  and   corresponding  tools  to  automate  compliance     •  Based  on  ABOUT  files  for  Component  Metadata   •  Applicable  to  any  programming  language  and  soIware   development  environment   •  Extensible  to  build  system  integra1on  for  advanced  approach  •  Tools  licensed  under  Apache  2.0  
    • Managing  Open  Source  Obliga1onsABOUT  File  Example  hFpd-­‐2.4.3.tar.gz.ABOUT    name:        Apache  HTTP  Server  home_url:        hFp://hFpd.apache.org  download_url:    hFp://apache.belnet.be//hFpd/hFpd-­‐2.4.3.tar.gz  version:                      2.4.3  date:                            2012-­‐08-­‐21  license:                    apache-­‐2.0  license_file:        hFpd-­‐2.4.3.tar.gz/LICENSE  copyright:          Copyright  2012  The  Apache  SoIware  Founda1on.  no1ce_file:          hFpd-­‐2.4.3.tar.gz/NOTICE    
    • Managing  Open  Source  Obliga1onsDejaCode  compliance  tools  •  Based  on  Component  Metadata  in  ABOUT  files  •  Creates  OSS  inventory  on  demand  (spreadsheet)  •  Creates  AFribu1on  text  file   •  Text  file  organized  by  copyright/license  no1ce  and   component   •  Default  text  or  HTML  format  •  Creates  source  code  Redistribu1on  package  list  
    • Managing  Open  Source  Obliga1onsDejaCode.org  •  nexB  is  sponsoring  DejaCode.org  as  a  community  site   to  share  techniques  and  tools  for  automa1ng   compliance  with  OSS  obliga1ons  •  Documenta1on  of  exis1ng  techniques  and  tools  from   Android,  Apache  Maven  (Java),  CPAN  (Perl)  and  others  •  Home  for  new  projects  like  nexB’s  ABOUT  system  •  Visit  us  at:   www.dejacode.org  
    • Managing  Open  Source  Obliga1ons“Virtuous”  compliance  lifecycle  •  Complete  baseline  codebase  analysis  for  a  product  •  Generate/create  Component  Metadata  files  in  the   codebase  from  baseline  analysis  findings  •  Update  Component  Metadata  files  during  release   development  •  Confirm  Component  Metadata  changes  and/or  iden1fy   addi1onal  changes  with  an  audit  •  Regenerate  compliance  deliverables  using  the   Component  Metadata  files  •  Repeat…  
    • Managing  Open  Source  Obliga1onsQues1ons  
    • Managing  Open  Source  Obliga1onsAbout  Greenberg  Traurig  LLP  •  GT  is  an  interna1onal,  mul1disciplinary  law  firm  in  35   loca1ons  in  the  United  States,  La1n  America,  Europe,   the  Middle  East  and  Asia.     •  An  Interna1onal   Network  of  More   than  1,750   AForneys  &   Governmental   Affairs   Professionals  
    • Managing  Open  Source  Obliga1onsAbout  nexB  Inc.  •  nexB  offers:   –  SoIware  analysis/audit  services  for  acquisi1ons  and  for   products   –  DejaCode  Enterprise  –  a  central  business  system  for   managing  soIware  components  •  200+  soIware  audit  projects  completed  to-­‐date   –  Aggregated  audited  codebases  >  3  billion  lines  of  source  code   –  Aggregated  value  of  the  acquisi1ons  transac1ons  >  $5B  •  See  the  DejaCode  License  Library  at   www.dejacode.com  
    • Managing  Open  Source  Obliga1onsContacts  •  Greenberg  Traurig   Heather  Meeker   MeekerH@gtlaw.com  •  nexB  Inc.   Michael  Herzog   mjherzog@nexB.com   +1  650  380  0680