Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding open source licenses

There are hundreds of open source licenses. Most developers don't take the time to read or understand them, but can you continue to ignore them? We have seen a rise in litigation around open source license over the last 10 years. And, in the last 12 months we have seen the first examples of OSS copyright trolls that are taking developers to court in an attempt to monetize GPL violations.

This presentation covers: How OSS licenses are enforced;
What are the main types of OSS licenses; How to identify them;
and what steps you need to take to ensure you are complying.

We cover use case scenarios and do a "deep dive" on the most used licenses today and how to understand them

  • Login to see the comments

Understanding open source licenses

  1. 1. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 1 Understanding Open Source Licenses Dave McLoughlin, Rogue Wave
  2. 2. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 2 Understanding Open Source Licenses • There are hundreds of open source licenses. Most developers don't take the time to read or understand them, but can you continue to ignore them? We have seen a rise in litigation around open source license over the last 10 years. And, in the last 12 months we have seen the first examples of OSS copyright trolls that are taking developers to court in an attempt to monetize GPL violations. • This session will covers: • How OSS licenses are enforced • What are the main types of OSS licenses • How to identify them • What steps you need to take to ensure you are complying • We cover use case scenarios and do a "deep dive" on the most used licenses today and how to understand them.
  3. 3. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 3 Legal disclaimer • Rogue Wave Software, Inc. is not engaged in the rendering of legal advice. This material provides legal information, which should not be confused with legal advice. • I am not an attorney
  4. 4. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 4
  5. 5. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 5 Understanding OSS licenses
  6. 6. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 6 OSS license challenges • It can be hard to determine correct license – OSS packages bundle other OSS packages – License information may not be correct – author says BSD on website and provides code with copy of MIT – Multiple licenses - disjunctive or conjunctive – Default license added to content (stack overflow, Code Project) • Many (most) OSS licenses were not written by attorneys – Don’t necessarily track on statutory or typical contract language, may be vague, may use alternative definitions, etc. • Incompatibility or license conflicts – Impossible to comply with requirements of both licenses – Compatibility issues with proprietary licenses (EULA)
  7. 7. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 7 OSS license types • Permissive – Broad grant of rights with no requirements on relicensing under particular terms – License requirements are minimal (retain notice; include copy of license) • Copyleft – License must be applied to original work and any derivative work thereof – Source code must be made available in most cases – “Weak” copyleft: refers to licenses where not all derived works inherit the copyleft license copyleft
  8. 8. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 8 Common descriptive license terms • Copyleft – Restrictive or Protective – Hereditary or Viral – Share-alike • Permissive – Attribution licenses – Non-copyleft • Non-commercial free – Evaluation, educational or research software, e.g. HighchartsJS, • Freeware – No source code or restricted redistribution, e.g. Java
  9. 9. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 9 Why are licenses important? • Copyright is a legal right created by the law of a country that grants the creator of an original work exclusive rights for its use and distribution. (https://en.wikipedia.org/wiki/Copyright) • Copyright is an unregistered right – it comes into existence at the same time that the work is 'fixed' • It protects the 'fixed' form of an idea, not the idea itself (patent) • The OSS license contains the terms of use that tells you how you can use the OSS and gives you permission to use copyrighted material • Without a license you may need to get permission to use code you download from the Internet • If you don’t comply with the license the author has the right under copyright law to revoke your permission to use
  10. 10. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 10 License compatibility • License compatibility is an issue that arises when licenses are applied to copyrighted works, particularly licenses of software packages (including software source code and binary representation[1]). • Licenses can contain contradictory requirements, rendering it impossible to combine source code or content from such works in order to create new ones (https://en.wikipedia.org/wiki/License_compatibility) • Issues stem primarily from Copyleft licenses. See fsf.org “GPL-Incompatible Free Software Licenses” (https://www.gnu.org/licenses/license-list.html#GPLIncompatibleLicenses) • Example: CDDL 1.0 and GPL (any version) - This is a free software license. It has a weak per-file copyleft (like version 1 of the Mozilla Public License) which makes it incompatible with the GNU GPL. This means a module covered by the GPL and a module covered by the CDDL cannot legally be linked together. We urge you not to use the CDDL for this reason.
  11. 11. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 11 Multiple licenses • Disjunctive – Choice of license – Usually for compatibility issues – E.g. Many Java libraries are dual CDDL 1.0 or GPL w/ CPE • Conjunctive – Combination of OSS in same project or file – Fairly common in Javascript/jQuery
  12. 12. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 12 Comparison of OSS and proprietary license • COMMERCIAL LICENSE – We do this . . . – You do this . . . – Requirements/Restrictions • OSS LICENSE – If you do this… . . . – Then you must do this…* . . . – Requirements/Restrictions * If you don’t do this, then you don’t have the right to use
  13. 13. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 13 Understanding OSS licenses • Many OSS License terms are IF – THEN statement – IF I am... distributing, conveying, modifying. • How am I using the OSS? – THEN I must... Provide a copy of the license, retain notices, provide the source code… • WHAT is the requirement? • HOW does that requirement need to be met? • OSS licenses have requirements and restrictions just like other IP licenses – Can do, must do, can’t do
  14. 14. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 14 Example of “If then” in OSS license • BSD License excerpt: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. • Paraphrase: – IF (you distribute in source or binary form) THEN (you must retain copyrights and distribute this license)
  15. 15. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 15 Enforcement and litigation
  16. 16. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 16 Enforcement • Free Software Foundation (FSF) is the de facto enforcer of the GPL license – FSF conducts a compliance laboratory that investigates violations – FSF is available for hire to assist companies to comply – Partners with the Software Freedom Law Center (SFLC) • The Software Freedom Conservancy – Software Freedom Conservancy is a not-for-profit charity that helps promote, improve, develop, and defend Free, Libre, and Open Source Software (FLOSS) projects – Currently has 46 members projects (as of October 2017) • Free Software Foundation Europe (FSFE) is a charitable registered association under German law. – It is as an official European sister organization of the U.S.-based Free Software Foundation (FSF).
  17. 17. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 17 Sample OSS litigation • USA – Linksys/Cisco (2003) – Wallace v. FSF (2005) & Wallace v. IBM et al (2006) – FSF v. Monsoon (2007) – FSF vs Cisco (2009) – Busybox vs Best Buy + 13 other companies (2009-2012) – XimpleWare v. Versata & Ameriprise Financial (2013) – Oracle v. Google (2015) • GERMANY – Welte vs Sitecom (2004) – Welte vs Fortinet UK Ltd. (2005) – Welte vs D-Link (2006) – Welte vs Skype (2008) – Welte in AVM vs Cybits case (2011) – Welte vs Fantec (2013) • FRANCE – AFPA v. Edu4 (2001) – Free/Iliad (2007)
  18. 18. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 18 Non-court actions • Developer reached out to large mobile phone manufacturer about OSS use in phone – Reaction was swift – Company now audits all software developed or acquired • FSF and FSFE (gpl-violations.org) – notices of compliance issue – FSF website has link to report license violations – Routinely send notices of violation and warning
  19. 19. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 19 OSS license obligations
  20. 20. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 20 OSS licenses – typical conditions & restrictions • Retain copyright (and other) notices • Provide a copy of the license • Provide notice of modifications • Provide access to source code (whether you modified it or not) • Maintain modified versions (or derivative works) under the same license (copyleft) • Do not restrict others of the rights granted • Do not use the name of the project or copyright holder or trademark to suggest endorsement or to promote • Disclaim any warranty and liability
  21. 21. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 21 GNU Licenses • GPL v2 - Released in 1991 (1st version released in 1989) • GPL v3 – Released in 2007 – Installation instructions – when providing source code, need to also provide information to modify and reinstall – Same as GPLv2, but sharpened in v3 to provide installation info for locked down devices (DRM) • LGPL (v2.0, 2.1, 3.0) – Developed as “lesser” or scalled-back version of GPL permits use of the library in proprietary programs • GNU Affero GPL v3 – Same as GPL v3 with exception of one clause (section 13) which requires providing source code for modified versions of the work that are accessed over a network
  22. 22. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 22 Other common OSS licenses • MIT License – If not already, quickly becoming most popular OSS license • BSD (Berkeley Source Distribution) – 2 clause, 3 clause, and 4 clause versions • Apache 2.0 – Very popular for widely used open source projects (Google/ASF) – Includes patent license to patent claims licensable by contributors that would be “necessarily infringed” by contribution or combination of contribution • Mozilla Public License v2.0 and Eclipse Public License 1.1 – Weak copyleft • Common Development and Distribution License (CDDL) 1.1 – Used extensively in Java
  23. 23. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 23 GPL license exceptions • The GPL license is about freedom in software development. Cases have arisen where you may be forced to create a derivative work to use a GPL-licensed OSS. • Learn and be aware of exceptions – A GPL linking exception – Autoconf Configure Script Exception – GCC Runtime Library Exception – Others: Classpath, Bison, MySQL FLOSS exception
  24. 24. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 24 License deep dive
  25. 25. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 25 Strong copyleft licenses • The GNU General Public License (all versions) and the GNU Lesser General Public License 3.0 are considered “strong” coypleft licenses • License obligations trigger on distribution • You must be able to provide corresponding, “buildable” source code – In GPLv3 you must also provide build/install instructions • You can include in a commercial work, you can charge people a fee for the software and support • You can modify the original code (modification constitutes a derivative work, so you must provide source of modification) • You must document modification copyleft
  26. 26. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 26 Strong copyleft licenses (continued) • If you create a derivative work, you must be prepared to release the source code of your proprietary work – If you do not know what a constitutes a derivative work it is essential to consult with a law firm that specializes in OSS and intellectual property • SaaS users beware: the AGPLv3 has the extra clause that requires distribution of source if modified • Termination is immediate and permanent, must get reinstated by licensor
  27. 27. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 27 Weak copyleft licenses • Most common weak copyleft licenses: – Mozilla Public License, Eclipse Public License, Common Public License, Common Development and Distribution License (CDDL), Creative Commons Attribution ShareAlike • Require you provide source code to original work and modification, but not necessarily to derivative works • Many allow you to simply point customers to where they can get source code (however, if source becomes unavailable you are still responsible) • Overall less enforcement then see with GNU licenses • Can be used for commercial use • Can be modified
  28. 28. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 28 Permissive licenses • Most common permissive licenses: – MIT, BSD, Apache, zlib • Require you include copy of license • Do not remove copyright notices • Do not use trademarks or copyright holder names to endorse or promote • Accept disclaimer of warranty • Additional obligations not in all permissive licenses: – Document modification – Indemnify contributors, authors – Do not claim you wrote the software • Enforcement is more on a case-by-case basis of flagrant violation
  29. 29. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 29 Compliance - steps you can take • Determine the licenses – Track as you download – Fossology, nexB scan toolkit (OSS tools for finding licenses) • Review the terms – Need help? Consult an attornery – Use web resources: tldrlegal.com • Determine active steps – Provide attribution – Provide Source – Document modification • Review and update on a regular basis – yearly, quarterly?
  30. 30. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 30 Fossology
  31. 31. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 31 nexB scan-toolkit
  32. 32. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 32 Tldrlegal.com
  33. 33. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 33 Summary • Be smart about risks associated with OSS – Know your risks and manage them • Learn the basics of OSS license, copyrights and patents – When selecting OSS take the time to understand your rights to use (not use) in your development • Enforcement – GNU license have most proactive enforcement today (FSF), but any copyright holder can enforce their licenses • Audit your applications – You can’t manage OSS if you don’t know what you have • Understand how usage affects compliance – Distribution, hosted apps, how you use the OSS
  34. 34. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 34

×