© 2016, iText Group NV© 2016, iText Group NV
OPEN SOURCE INDIA
Open source: an introduction to IP and Legal
Bruno Lowagie, CTO iText Group NV

© 2016, iText Group NV
Introduction: who and what?
Open Source: an introduction to IP and Legal2
Bruno Lowagie
Original developer of iText
ex-CEO, current CTO at iText Group

© 2016, iText Group NV
Disclaimer: IANAL
• In this talk, I merely share my experience with legal issues.
• “The law” can be different in different countries, and
• Software is usually international and local laws may apply
I’m an open source developer, not a lawyer
Open Source: an introduction to IP and Legal3

© 2016, iText Group NV
Open Source: an introduction to IP and Legal4
Agenda
Intellectual property (IP) of a project
Open source licenses
Case story: IP review of the iText source code

© 2016, iText Group NV
A quick show of hands
Who knows
Stack Overflow?
Open Source: an introduction to IP and Legal5

© 2016, iText Group NV
A quick show of hands
Who knows
Stack Overflow?
Who uses code
snippets from
Stack Overflow?
Open Source: an introduction to IP and Legal6

© 2016, iText Group NV
A quick show of hands
Who knows
Stack Overflow?
Who uses code
snippets from
Stack Overflow?
Who knows
which license
Stack Overflow
uses?
Open Source: an introduction to IP and Legal7

© 2016, iText Group NV
CC-BY-SA version 3.0
Open Source: an introduction to IP and Legal8

© 2016, iText Group NV
Attribution
Summarized:
Explain origin
Add link to question
Add author name
Add link to author profile
Open Source: an introduction to IP and Legal9
http://stackexchange.com/legal:
In the event that You post or otherwise use Subscriber Content outside of the
Network or Services, with the exception of content entirely created by You, You
agree that You will follow the attribution rules of the Creative Commons Attribution
Share Alike license as follows:
a) You will ensure that any such use of Subscriber Content visually displays or
otherwise indicates the source of the Subscriber Content as coming from the Stack
Exchange Network. This requirement is satisfied with a discreet text blurb, or some
other unobtrusive but clear visual indication.
b) You will ensure that any such Internet use of Subscriber Content includes a
hyperlink directly to the original question on the source site on the Network (e.g.,
http://stackoverflow.com/questions/12345)
c) You will ensure that any such use of Subscriber Content visually display or
otherwise clearly indicate the author names for every question and answer so used.
d) You will ensure that any such Internet use of Subscriber Content Hyperlink
each author name directly back to his or her user profile page on the source site on
the Network (e.g., http://stackoverflow.com/users/12345/username), directly to
the Stack Exchange domain, in standard HTML (i.e. not through a Tinyurl or other
such indirect hyperlink, form of obfuscation or redirection), without any “nofollow”
command or any other such means of avoiding detection by search engines, and
visible even with JavaScript disabled.

© 2016, iText Group NV
Share Alike
Copyright law
• allows an author to
prohibit others from
reproducing, adapting, or
distributing copies of the
author's work.
Copyleft
• gives every person who
receives a copy of a work
permission to reproduce,
adapt or distribute the
work as long as any
resulting copies or
adaptations are also
bound by the same
copyleft licensing scheme.
Open Source: an introduction to IP and Legal
©
©
10

© 2016, iText Group NV
Do you have to worry?
Open Source: an introduction to IP and Legal11
Sam Saffron: http://meta.stackexchange.com/users/17174/waffles
Jason Baker: http://meta.stackexchange.com/users/2147/jason-baker
Stack Exchange has been trying to
fix these issues for years now,
but the problem persists.

© 2016, iText Group NV© 2016, iText Group NV
Intellectual property
You’re an open source developer, but:
 Who owns the code you write?
 Who owns the code you use?

© 2016, iText Group NV
A typical project
Open Source: an introduction to IP and Legal13
White zone
Gray zone
Black zone

© 2016, iText Group NV
The White Zone
Open Source: an introduction to IP and Legal14
White zone
Gray zone
Black zone

© 2016, iText Group NV
The White Zone
You have written the code yourself, but
What about your employer? Does your employer own (part of) the code?
Do you have a formal agreement with your employer with respect to
F/OSS?
Where did you get your inspiration? IBM developers are forbidden to look
at any code that is not formally approved by IBM’s legal team. Good
practice or burden?
Open Source: an introduction to IP and Legal15

© 2016, iText Group NV
Employees and IP
Open Source: an introduction to IP and Legal16
Dilbert:
Copyright by Scott Adams
Fair Use

© 2016, iText Group NV
The Gray Zone
Open Source: an introduction to IP and Legal17
White zone
Gray zone
Black zone

© 2016, iText Group NV
The Gray Zone
The code was contributed, but
did the contributor agree with the license?
did the contributor’s employer agree?
where did the contributor get his inspiration?
The code is taken from another project, but
are the licenses compatible?
do you respect the other project’s license?
where did the other project get its code from?
Open Source: an introduction to IP and Legal18

© 2016, iText Group NV
The Gray Zone
Contributor License Agreements
The Apache Foundation demands contributors and their employers to
sign a CLA
SUN used to demand contributors to sign an SCA from the moment
contributions contained more than 20 lines of code
“Fair Use”: does not apply to source code in the USA!
Check License Compatibility
Keep a detailed inventory of all F/OSS projects (subset / derivative work)
Open Source: an introduction to IP and Legal19

© 2016, iText Group NV
License compatibility
Open Source: an introduction to IP and Legal20
Your product: ASLv2
GPLv2
Your product: LGPLv3
ASLv2

© 2016, iText Group NV
The Black Zone
Open Source: an introduction to IP and Legal21
White zone
Gray zone
Black zone

© 2016, iText Group NV
The Black Zone
Unfortunately, you might not have been allowed to use
some specific code that is now part of your project.
Possible solutions:
 Either you ask (and get!) permission, or
 You rewrite the code, or
 You remove the code.
Open Source: an introduction to IP and Legal22

© 2016, iText Group NV© 2016, iText Group NV
Open source licenses
 Copyright versus Copyleft
 How open source licenses work
 Open source business models

© 2016, iText Group NV
Open Source License overview
Open Source: an introduction to IP and Legal24

© 2016, iText Group NV
GPL-style software licenses
It’s all about distribution
Open Source: an introduction to IP and Legal25
License: MPL / LGPL GPL AGPL
Car distribution
(e.g. OEM)
Commercial use? OK for gratis commercial use Commercial license needed Commercial license needed
Bus service
(e.g. SaaS)
Commercial use? OK for gratis commercial use OK for gratis commercial use Commercial license needed
Free/Proprietary Before iText 5:
Improvement engine: LGPL
Car or bus: can be proprietary
Car: must be GPL
Bus: can be proprietary
Since iText 5:
Car or bus: must be AGPL
Or: buy commercial license

© 2016, iText Group NV
Open Core licensing: e.g. iText 7
Open Source: an introduction to IP and Legal26
Open source
Closed source

© 2016, iText Group NV
Business Source License: e.g. MariaDB
Open Source: an introduction to IP and Legal27
All source code is open,
but not “open source”:
it’s “business source”.
MaxScale is only needed
in case of heavy use of
MariaDB.
This prevents perceived
abuse by GAFA & co.

© 2016, iText Group NV© 2016, iText Group NV
Case study
Who owns iText?
 Mapping the white zone
 Clarifying the gray zone
 Refactoring or removing the black zone

© 2016, iText Group NV
Who was asking this question?
July 2006: Eclipse Simultaneous Release
‘Callisto’; tested and approved by IBM
Eclipse/BIRT (Actuate) is part of this release
Project led by Actuate
iText is used in Eclipse/BIRT
License MPL/LGPL: not acceptable for IBM
Research agreement between Actuate and Ghent University with as
deliverable: IP Review
Open Source: an introduction to IP and Legal29

© 2016, iText Group NV
Turning Gray and Black into White
Open Source: an introduction to IP and Legal30
White zone
Gray zone
Black zone

© 2016, iText Group NV
In practice
Source code was vetted by lawyers
Source code was screened using software
Weekly reports listing potential issues
Open Source: an introduction to IP and Legal31

© 2016, iText Group NV
Issue 1: Quick&Dirty XML parser
State machine to parse XML
Source code taken from:
http://www.javaworld.com/javaworld/
javatips/jw-javatip128.html
Open Source: an introduction to IP and Legal32

© 2016, iText Group NV
Read the fine-print!
Open Source: an introduction to IP and Legal33
All contents of JavaWorld, including text,
programs, applets, source code, and images are
copyrighted and owned by IDG or the copyright
holder specified, all rights reserved. No material
may be reproduced electronically or in print
without written permission.

© 2016, iText Group NV
Solution 1
Write JavaWorld and author, get permission!
There were many other places where license information was incomplete
or missing.
It must become your second nature to ask for permission and to
document! document! document!
Open Source: an introduction to IP and Legal34

© 2016, iText Group NV
Issue 2: RC4 encryption algorithm
Names and variables referring to RC4
RC4 was initially a trade secret, but in September 1994 a description of it was
anonymously posted to the Cypherpunks mailing list.
It was soon posted on the sci.crypt newsgroup, and from there to many sites on
the Internet. Because the algorithm is known, it is no longer a trade secret.
The name "RC4" is trademarked, however. The current status seems to be that
"unofficial" implementations are legal, but cannot use the RC4 name.
Open Source: an introduction to IP and Legal35

© 2016, iText Group NV
Solution 2
RC4 is often referred to as "ARCFOUR" or "ARC4" (meaning Alleged RC4,
because RSA has never officially released the algorithm), to avoid possible
trademark problems.
Change all class and variable names:
 Don’t use: RC4_ENCRYPTION
 Use: ARCFOUR_ENCRYPTION
Open Source: an introduction to IP and Legal36

© 2016, iText Group NV
Issue 3: Class IntHashtable
Code taken from ACME.com:
// This is 90% based on JavaSoft's java.util.Hashtable.
// Visit the ACME Labs Java page for up-to-date versions
// of this and other fine Java utilities:
// http://www.acme.com/java/
JavaSoft is a name used by Sun in the past in their Java activities.
ACME indicates use of the class java.util.Hashtable which is subject to unfriendly Sun license
It is unlikely that this code is available under a license that permits this use. Without information
indicating that Sun approved of this usage the class should not be used.
Open Source: an introduction to IP and Legal37

© 2016, iText Group NV
Solution 3
Use the same class released by Apache under the ASL in Apache-
Commons instead of the ACME class.
Open Source: an introduction to IP and Legal38

© 2016, iText Group NV
Issue 4: EPS functionality
Taken from an example released by SUN under a Sample License
The Sample License allowed the use of the code, but…
The source code contained this text:
/*
* Copyright 1998 by Sun Microsystems, Inc.,
* 901 San Antonio Road, Palo Alto, California,
* 94303, U.S.A. All rights reserved.
*
* This software is the confidential and proprietary
* information of Sun Microsystems, Inc.
* ("Confidential Information"). You shall not
* disclose such Confidential Information and shall
* use it only in accordance with the terms of the
* license agreement you entered into with Sun.
*/
Open Source: an introduction to IP and Legal39

© 2016, iText Group NV
Solution 4: remove the code
After a very long argument about the liberal Sample License versus
the strict comment section (which was clearly overlooked at the
moment the code was released to the public), the EPS functionality
was removed from the iText code base.
It’s better to be safe than sorry…
Open Source: an introduction to IP and Legal40

© 2016, iText Group NV© 2016, iText Group NV
Results of this exercise
 We work with CLAs and keep track of contributors
 We changed the license from MPL/LGPL to AGPL
 We created a successful business

© 2016, iText Group NV
Contributor License Agreement
Open Source: an introduction to IP and Legal42

© 2016, iText Group NV
Today: disciplined IP “book keeping”
Open Source: an introduction to IP and Legal43

© 2016, iText Group NV
Commercial open source
Open Source: an introduction to IP and Legal44
Enterprise
closed
source
open
source
commercial
source
FOSS Company
The product is available for
free for those who accept
and comply with the F/OSS
license
If the product is also
distributed under another
license, a commercial
license is needed.
The FOSS company makes
the product available under
a custom license for those
who pay for the product:
• Support,
• Warranty,
• Indemnification,
• Release from the
requirements of the
F/OSS license