Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016


Published on

Martin von Willebrand
Chairman, Validos ry
Partner, HH Partners Attorneys-at-law Ltd

Collaborative Open Source Compliance

Mindtrek 2016

Published in: Technology
  • Be the first to comment

Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016

  1. 1. Collaborative Open Source Compliance Mindtrek 2016 17.10.2016 Martin von Willebrand Chairman, Validos ry Partner, HH Partners Attorneys-at-law Ltd
  2. 2. Validos ry • Established 2008 • Validos helps members by producing open source compliance services, based on member needs • Open source enables many projects and products and speeds up development work, but complying with licenses is a challenge for everyone • Validos provides collaboration and top expertise • A growing database of 1000+ open source packages, extranet • Consultative services growing: policy and process consultation
  3. 3. Validos members as of 1 September 2016
  4. 4. Open source (OS) in a nutshell Gilles Gonthier, Cc-By
  5. 5. OS Basics • Open source, i.e. free software = software licensed with a license that allows free use, examination, modifying, copying and distribution without discrimination. May contain other terms. • Software which use is subject to same rules of nature than any other software: – Good and bad – Widely used and little used – Projects/sw which live long /short – Suitable / not suitable – Secure / non secure • Openness is a positive property – Which may result in unmanaged exploitation Gilles Gonthier, Cc-By
  6. 6. OS Basics • What is open source? – Effective sw development methodology – Light-weight co-operation model – Lower costs and increased speed for proprietary development – Business opportunity – Sw with an open source license
  7. 7. OS Basics • Compliance means acting rightfully, i.e. complying with laws, ethical practices and in a sustainable way • The golden rule of OSS Compliance: One must simultaneously satisfy the requirements of each applicable license. • If not possible, can’t be done.  Change of practices • In practice, risk appreciations needed. Gilles Gonthier, Cc-By
  8. 8. OS Basics • OS, OSS, FOSS • Linux, linux distributions, GNU/Linux, Linus Torvalds • Apache, could mean Apache Software Foundation, Apache License (1, 1.1 and 2), Apache http server Licenses • Copyleft i.e. reciprocity (NOT: viral effect, contagious, inheritance) • Permissive licenses: BSD, MIT, Apache and many others • Weak and strong copyleft / reciprocity – MPL – GPL, LGPL and Affero GPL (AGPL) Gilles Gonthier, Cc-By
  9. 9. OSS Procurement / Use
  10. 10. • OSS is excellent for companies as a part of their products and services – Project deliveries – Software products – Services over the Internet – (Developement, other internal use) – Business models • Use has to be managed • OSS is nothing special – Different types of software / packages / components – Choosing between alternatives: Same criteria as with closed software • OS licensing model is a benefit OSS Procurement and Use Lennysan, Cc-By
  11. 11. How to Take OSS Into Use? • Information on used packages needs to be in the right place • What processes are required? – Third party closed software is not taken into use without management (typically purchase process) • Typically needed, a process: – Selection – Validation • General technical and legal review • Specific review in relation to the applicable business model – Decision
  12. 12. Risk Management Perspective • Why legal validation, i.e. compliance • Two ~legal risk types – Community risk, if non-compliant • Community includes: 1) customers, employees of customers, 2) rest of downstream, 3) own employees, subcontractors 4) OSS-developers etc. • If realises results in badwill (”bad” corporate citizen) and increased legal risk – Legal risk, if non-compliant • Right holder intervenes: extra work, changing product, recalling products, destroying products, costs, compensations – Publication of own source code is a choice of the company
  13. 13. Managing Risk • Community Risk: Develop a good working relationship with OS- community; create, maintain and communicate a OS contact point for compliance matters • Comply with terms for distribution – act correctly, respect the authors, be active • Copyleft/reciprocity: create a sensible policy, and methods to address borderline cases – Take care of architecture questions (so called linking questions) – If needed, put requirements on the customer • Avoid being the distributor
  14. 14. OSS Publication
  15. 15. OSS Publication • Organization creates software which it makes public in a git- or svn- repository • Developed code builds upon or directly uses OSS components  need detailed OSS compliance – Do you distribute third party OSS software? • Dependencies – A lot! – Dependencies that are referred as a dependency list for build process and that are not in your own repository (other than the list) – Dependencies that need to be distributed in other connections, e.g. in production deployment. Easiest to fulfill obligations by distribute the source code in your repository  need detailed OSS compliance
  16. 16. GPL License from User’s Perspective
  17. 17. Managing Risk / GPL v2 • A lot of misconceptions • GPLv2 is NOT contagius, it contains reciprocity obligation (copyleft) – In order to distribute, must comply with reciprocity – No mechanism which would mean automatic licensing of a company’s own code under GPL v2 • Not aware of any such claim in any public court – Section 2 (introduction and sub-clause b) • GPL copyleft applies to distribution only (not e.g. use by yourself) – Does not apply to software as a service deliveries • Copyleft term includes some ambiguity – Distribution of GPL v2 licensed software with proprietary sw – When does copyleft apply? (In order to distribute…) – Can be put to perspective and solved
  18. 18. Managing Risk, GPL v2 • Copyleft and architecture trade practice
  19. 19. Thank you!