Successfully reported this slideshow.

Ipr08 2 Beware Of Your Creations Bruno Lowagie


Published on

  • Be the first to comment

  • Be the first to like this

Ipr08 2 Beware Of Your Creations Bruno Lowagie

  1. 1. Beware of your creations iText, a Free / Open Source PDF library Case Study: IPR project by Bruno Lowagie
  2. 2. What is iText? iText is a Free / Open Source Software library that allows Java and .Net developers to enhance their applications with PDF generation and manipulation functionalities. iText is used by Google, Adobe, JasperSoft, IBM, NASA, the DoD, KLM, NMBS, FedEx, UPS, many different governments, banks, insurance companies, and so on. If you want to find our more about iText visit Or read the book “iText in Action” 2/20
  3. 3. Context of the IPR project IBM and SUN are competitors IBM created the Eclipse Foundation to compete with SUN on the Java front Eclipse is an Integrated Development Environment (IDE) Eclipse is a Java oriented Open Source Community Eclipse offers a suite of Open Source products Different Eclipse projects are lead by different companies; Each project/product has its own release cycle 3/20
  4. 4. Context of the IPR project The Callisto Simultaneous Release (july 2006) was the first time a suite of selected products was released simultaneously This release was fully tested by IBM and hosted on servers from the Eclipse Foundation. Eclipse/BIRT was part of this simultaneous release Eclipse/BIRT is a Business Intelligence & Reporting Tools project lead by Actuate Eclipse/BIRT uses iText for PDF Generation 4/20
  5. 5. Context of the IPR project IBM only wanted to host iText on their servers if: The iText license (MPL/LGPL) was changed to EPL The iText code was vetted and accepted by IBM’s legal department: the IP of the iText source code had to be 100% OK. None of these conditions were met; as a result iText was not a part of the Callisto Simultaneous Release; users had to download it separately. The Eclipse Foundation tried to put pressure on Bruno to release iText under the EPL. 5/20
  6. 6. Context of the IPR project Bruno’s response: Changing to EPL is a No-Go for the iText community. If IBM doesn’t want to use iText: it’s not our problem; it’s IBM’s problem! But Actuate wanted to use iText… Solution: a Research Agreement was signed between Actuate and Ghent University (Bruno’s employer) to create a detailed IP Report for iText and to solve all possible IP issues reported by IBM Canada. The goal was the integration of iText in the Eclipse Europe release (july 2007). By the way: we made the release! 6/20
  7. 7. The Problem with F/OSS Software A F/OSS library is a joined effort of many different people. A F/OSS library such as iText grows organically. Looking at the source code of many projects, you have: a White zone: code of which the IP is 100% clear; you know because you have written the code yourself. a Gray zone: code that was contributed by others. Where did they get this code? Did they write the code? Were they allowed to contribute that code? a Black zone: code that was integrated in the library, but for which there was no license or authorization. 7/20
  8. 8. The White Zone You have written the code yourself, but… What about your employer? Does your employer own (part of) the code? Do you have a formal agreement with your employer with respect to F/OSS? Where did you get your inspiration? IBM developers are forbidden to look at any code that is not formally approved by IBM’s legal team. Good practice or burden? Note: you don’t always need to own the IPR to do business with F/OSS! For instance: in the past, iText licenses were sold by PDF Sages (now acquired by Adobe Systems) 8/20
  9. 9. The Gray Zone The code was contributed, but… Did the contributor agree with the license? Did the contributor’s employer agree? Where did the contributor get his inspiration? The Apache Foundation demands contributors and their employers to sign a Contributor License Agreement (CLA) SUN demands contributors to sign a Sun Contributor Agreement (SCA) from the moment the contributions contain more than 20 lines of code 9/20
  10. 10. The Gray Zone The code was taken from another project, but… Are the licenses compatible? Do you respect the other project’s license? Where did the other project get its code from? Always keep an online inventory of: All Contributors (if possible: let them sign a CLA) All F/OSS Projects used (subset / derivative work) 10/20
  11. 11. The Black Zone Unfortunately it may happen that you were not allowed to use some specific code that is part of your project. Solution: either you ask (and get!) permission, or you remove the code. 11/20
  12. 12. Examples Turning Gray and Black into White A selection of issues that were solved in the context of the Research Agreement between Actuate and Ghent University. These issues were reported by IBM’s Legal Department in Canada. These issues were solved by Bruno Lowagie, and they give an idea of the work involved when maintaining a successful F/OSS project. Writing code is the easy part of the job ;-) 12/20
  13. 13. Example 1: JavaWorld article State Machine to parse XML quickly: Source code taken from/inspired by this article Fine print: Copyright - All contents of JavaWorld, including text, programs, applets, source code, and images are copyrighted and owned by IDG or the copyright holder specified, all rights reserved. No material may be reproduced electronically or in print without written permission. Solution: write JavaWorld and author, get permission! There were many other places where licenses were incomplete or missing! 13/20
  14. 14. Example 2: RC4 Class names and variable names referring to RC4 RC4 was initially a trade secret, but in September 1994 a description of it was anonymously posted to the Cypherpunks mailing list. It was soon posted on the sci.crypt newsgroup, and from there to many sites on the Internet. Because the algorithm is known, it is no longer a trade secret. The name "RC4" is trademarked, however. The current status seems to be that "unofficial" implementations are legal, but cannot use the RC4 name. RC4 is often referred to as "ARCFOUR" or "ARC4" (meaning Alleged RC4, because RSA has never officially released the algorithm), to avoid possible trademark problems. Solution: change RC4 into ARCFOUR in all files 14/20
  15. 15. Example 3: IntHashtable Class IntHashtable Taken from // This is 90% based on JavaSoft's java.util.Hashtable. // Visit the ACME Labs Java page for up-to-date versions of this and other // fine Java utilities: JavaSoft is a name used by Sun in the past in their Java activities. Sun indicates use of the class java.util.Hashtable which is subject to unfriendly Sun license It is unlikely that this code is available under a license that permits this use. Without information indicating that Sun approved of this usage the class should not be used. Solution: use the same class released by Apache under the APL in Apache-Commons instead of the ACME class. 15/20
  16. 16. Example 4: EPS EPS Functionality Taken from an example released by SUN under a Sample License. The Sample License allowed the use of the code, but the source code contained this text: /* * Copyright 1998 by Sun Microsystems, Inc., * 901 San Antonio Road, Palo Alto, California, 94303, U.S.A. * All rights reserved. * * This software is the confidential and proprietary information * of Sun Microsystems, Inc. ("Confidential Information"). You * shall not disclose such Confidential Information and shall use * it only in accordance with the terms of the license agreement * you entered into with Sun. */ Solution: after a very long argument about this comment section versus the Sample License, EPS functionality was dropped. 16/20
  17. 17. Example 5: Fedora Linux and nuclear facilities JAI code Taken from JAI (by SUN) originally released under a very liberal License. However, the license text contains the following clause: /* * You acknowledge that Software is not designed, licensed or * intended for use in the design, construction, operation or * maintenance of any nuclear facility. */ As long as the word “license” isn’t removed, iText can’t be distributed with Fedora Linux. Solution: direct communication with the core developers to solve the problem. 17/20
  18. 18. Finally You can save a lot of work by doing things the right way right from the start. If it’s too much work, or if it gets in the way of doing your work, you are not alone! 18/20
  19. 19. Finally If you have built castles in the air, Your work need not be lost; That is where they should be. Now put the foundations under them. (Henry David Thoreau – Walden) 19/20
  20. 20. Questions Q&A 20/20