Open source licensing can be complicated for laypeople to understand. The document discusses some key concepts around open source licensing including:
- Open source licenses like the GPL require sharing source code modifications, while permissive licenses like MIT do not.
- Choosing an open source license has legal implications for how software can be used and modified. Strong copyleft licenses like GPL require any changes be shared.
- Understanding license compatibility and how licenses apply to derivatives is important, as mixing licenses could require releasing entire works under more restrictive terms.
1. Exploring Open Source Licensing
...Moving between the legal concepts of open software and
open source licensing compliance by a layman...
STEFANO FAGO
2. 2
Warning
●
I am not a lawyer
●
An exhaustive discussion will not
be made
●
No personal consideration
●
This is a work based on a personal
research
●
It is always better to consult with
experts if in doubt
3. 3
Open Source, Society, Morality
<< … For better or worse, software developers are
building the fabric of tomorrow's world. So, they need
to realize that many of the things they do have
ethical, social, and political implications.... >>
<< … How open source software, shared purpose
and cross sector collaboration are creating a new
template for Corporate Social Responsability in the
form of social innovation.... >>
https://www.computer.org/csdl/magazine/so/2017/02/mso2017020004/13rRUy2YLWt
The Social Responsibility of Software Development
https://jaxenter.com/technology-for-good-173276.html
Technology as a Source for Good
4. 4
Open Source, Society, Morality
• << … We can build... cyberspace to protect
values that we believe are fundamental. Or we
can build... cyberspace to allow those values
to disappear. There is no middle ground. There
is no choice that does not include some kind of
building. Code is never found; it is only ever
made, and only ever made by us... >>
• https://www.youtube.com/watch?v=sJpXhVD18-c
Free Software: It's not about the license
5. 5
The Open Source Definition
• Free redistribution.
• Source Code Included in Licensed Software.
• Grant of modification to derivative works.
• Integrity of the source code.
• No discrimination against individuals or groups.
• No discrimination of sectors of society and
development.
• Distribution of the license to all recipients of the
same.
• The license does not have to be specific to a
product.
• The license must not restrict other software.
• The license must be technology independent
https://opensource.org/osd
7. 7
The risks of Open Source
Open source is free of acquisition costs but
is not without management costs or risks.
A company using open source must confirm
initially and on an ongoing basis that:
• the way in which open source is used
complies with related open source
licenses.
• the open source you use does not contain
any known security vulnerabilities.
A real challenge arises in managing
these risks on a corporate scale and pace.
https://www.synopsys.com/blogs/software-security/open-source-audit-data/
8. 8
Open Source Compliance : A Book
https://www.linuxfoundation.org/compliance-and-security/2018/12/ope
n-source-compliance-in-the-enterprise/
9. 9
Open Source Compliance : Example Process
https://www.linuxfoundation.org/resources/open-source-guides/usi
ng-open-source-code/
10. 10
License Compliance : Example Architecture
http://turingmachine.org/~dmg/papers/dmg2012_softwareKenen.pdf
12. 12
Open Source Licence Idemnification
The commercial use of open source leads, among
others, to the concept of Idemnification for
inappropriate use in the relationship between
Vendor and Customer.
Idemnification can be offered by the Vendor who
uses open source artifacts to increase the
added value of their products, thus also
increasing their credibility and reputation.
https://www.activestate.com/blog/open-source-indemnification-why-you-should-care
14. 14
What is Intellectual Property
The term Intellectual Property indicates a
system of legal protection of intangible assets
resulting from the creative and inventive activity
of man (artistic and literary works, industrial
inventions and utility models, design and
trademarks, ...)
Forms of intellectual property are:
• Copyright
• Patent
• Trademark
• Trade Secret
15. 15
Is Copyright the default?
In most jurisdictions, any code or content is automatically
copyrighted by the author, with all rights reserved, unless otherwise
stated. While it is a good idea to state the author and copyright date
in the header of any code or document, failing to do so does not
mean that the author have no rights.
16. 16
Is Copyright the default? (Italy)
(Italian law) Acquires the status of author, the creator of the work,
this being a particular expression of intellectual work. Therefore, the
owner of the copyright (dual nature, moral and economic) is always
the creator of the work, from the moment of its conception.
The author of a work is guaranteed the exclusive right to publish it,
to economically use the work in any form and way, to reproduce it, to
disseminate it, to distribute it and put it into circulation, to publish it
in collections and to modify it, to rent it and to lend it.
The right of economic use of the work lasts for the entire life of the
author, up to the seventieth year after his death.
17. 17
Copyright Vs Copyleft
The Copyleft, unlike the Copyright, is the Author Permit that is
managed thanks to a Licensing System: this implies that the Copyleft
is a subcategory of Copyright (conceptually there is no copyleft
without copyright)
Copyleft can be applied to a multitude of works, ranging from
software, to scientific discoveries, to documents and art.
18. 18
Copyleft applied to IT (base concept)
In IT, the Copyleft regime is supported by a main
condition that obliges, in the case of distribution
of the modified work, to do so under the same
legal regime (and the same license). In this way,
the copyleft regime, and the whole set of
freedom deriving from it, are always guaranteed
at each release.
19. 19
What Copyleft implies?
Copyleft implies license conditions whereby:
If I distribute via source, no particular action to
take
If I have a binary distribution, it must be
accompanied by the sources, bearing the
copyleft license and its conditions
The conditions are to be considered applied
both to the original software and to the binary
distribution and to any changes implemented
and distributed.
21. 21
Open Source, Development and Licensing
Open source is simultaneously:
• a licensing model
• a development model
where the former is at the service of the latter
22. 22
What is a License?
A License is an official permission to
use, modify or own a given thing.
As for the software, it can be defined
as the granting of rights by those who
produce the software to those who
wish to use it, on how it can be used
and shared.
This is a set of guidelines on the
obligations and responsibilities
associated with the use and
distribution of the software program.
https://tldrlegal.com/
23. 23
Types of Open Source Licenses
Permissive License: allows you to
perform any action on the software
in compliance with a single type of
condition, that is, the distribution of
the software involves reporting the
license
CopyLeft License: allows you to
act on the software but if a change
is made it is necessary to share the
source code
http://www.vinayiyengar.com/2020/09/09/apache-combinator/
24. 24
Different Source Licenses
Permissive License (MIT, BSD-2-Clause,
BSD-3-Clause, Apache-2.0)
Weak Copyleft License Lesser GNU Public
License (LGPL-2.0, LGPL-2.1 or LGPL-3.0),
Mozilla Public Licenses (MPL-1.0, MPL-1.1
or MPL-2.0), Eclipse Public License (EPL-
1.0 or EPL-2.0), Common Development and
Distribution License (CDDL-1.0 or CDDL-1.1)
String Copyleft License: GNU General
Public Licenses (GPL-2.0 and GPL-3.0),
Affero General Public License (AGPL-3.0)
https://www.slideshare.net/marceldvries/b
est-practices-for-using-open-source-softw
are-in-the-enterprise
25. 25
Comparison of Open Source Licenses
https://moqod.com/understanding-open-source-and-free-software-licensing/
26. 26
Comparison of Open Source Licenses
https://www.compact.nl/articles/the-risks-of-open-source-software-for-corporate-use/
27. 27
Other types of Open Source License
Public Domain
• A work in the public domain is not copyrighted and unlicensed.
• It can be used by anyone for any purpose for free.
• Getting software into the public domain is a tricky business.
https://creativecommons.org/about/downloads/
28. 28
Other types of Open Source License
Source Available
An emerging license type, intended to be applied to code that cannot be
distributed As Service.
This type of license is referred to in response to Cloud Provider, as Amazon,
implementing packaging, rebranding and profits from open source projects
deployed on their cloud platform.
Popular examples include the Redis'Source Available License (RSAL),
MongoDB's Server Side Public License (SSPL), the Cockroach Community
License (CCL), or licenses to which the Commons clause has been added.
29. 29
Other types of Open Source License
Dual Licensing
• It can be a problematic choice
• The defined code must be compatible with both licenses
• It does not necessarily imply that the user must comply with yours
and both licenses but can choose which one they want to comply with
https://jaxenter.com/dual-licensing-tricky-business-111606.html
31. 31
How many licenses are there?
It is possible to find out about some reference sites:
• https://spdx.org/licenses/
• https://www.gnu.org/licenses/license-list.html
• https://opensource.org/licenses
• https://creativecommons.org
33. 33
Let's understand the consequences of a license...
Let's see with a practical example what
are the consequences on a project in
adopting artifacts subject to a given
open source license, passing from
permissive to copyleft.
The idea comes from the work of
Jim Jagielski currently UBER's
Technical Staff Manager
Open Source Office
https://www.youtube.com/watch?v=mb9ZmxbXVZ8
https://www.youtube.com/watch?v=Vu_x8wrmHtA
34. 34
Let's understand the consequences of a license...
Suppose a company wants to make biscuits
and has a recipe for the cream in the
biscuit, licensed in a proprietary manner.
Let's see what happens when assembling
the biscuit by changing the license of the
recipe to make the solid part.
Solid Part
License ?????
Cream
Proprietary License
35. 35
Let's understand the consequences of a license...
Suppose that the recipe of the solid part is
of the permissive type (eg MIT).
If it is decided to alter the recipe, the
company does not have to do anything. The
cream is under proprietary license as well as
the biscuit and must only be shown on the
biscuit packaging from which the original
recipe of the solid part derives
Solid Part
MIT License
Cream
Proprietary License
Proprietary License
36. 36
Let's understand the consequences of a license...
Suppose that the solid part recipe is of the
weak copyleft type (eg MPL).
If it is decided to alter the recipe, the
company must share the changes made to
the original recipe. The cream is under
proprietary license as well as the biscuit
and must be shown on the biscuit packaging
from which the original recipe of the solid
part derives
Solid Part
MPL License
Cream
Proprietary License
Proprietary License
37. 37
Let's understand the consequences of a license...
Suppose that the solid part recipe is of the
strong copyleft type (eg GPL).
If it is decided to alter the recipe, the
company must share the changes made to
the original recipe and, despite the fact that
the cream is under proprietary license, the
whole biscuit is fired under the copyleft
regime, thus losing the industrial secret on
the recipe of the cream.
Solid Part
GPL License
Cream
Proprietary License
GPL License
39. 39
Contribute to an Open Source Project
Employee Contribution Policies : In a Company, It may be
necessary to develop a company policy that specifies how
employees contribute to open source projects.
A clear policy will reduce confusion among employees and help
them contribute to open source projects in the best interest of the
company, both as part of their work and in their spare time.
40. 40
Open Source Program/Project
The spread of Open Source has led to
two relevant phenomenologies:
• many developers create their own
side projects to work
• companies can decide to define an
Open Source Program, supervised
by a specific office, in order to create
a stronger development culture and
better quality of artifacts, while
respecting and contributing to the
values and activities of the Open
Source world.
In both situations, legal support is
essential to avoid problems for both
the company and the employee.
https://todogroup.org/
41. 41
Contributor License Agreement
Why a contribution agreement?
• To force contributors to accept the
terms of the contribution
• For the developers to declare that
every activity they do is authorized
• The project uses an open source license
which does not include an explicit
patent grant (such as MIT) and needs a
patent grant from all contributors
• The project is under a copyleft license,
but you also want to distribute a
proprietary version of the project
• The project may need to change
licenses over the course of its life, and
contributors are expected to accept
these changes in advance
https://en.wikipedia.org/wiki/Cont
ributor_License_Agreement
https://ben.balter.com/2018/01/02
/why-you-probably-shouldnt-add-a
-cla-to-your-open-source-project/
43. 43
Better viral or monetizable?
https://www.youtube.com/watch?v=DDx6gjwU0K8
44. 44
... Do you have any doubts? Try with ...
Free usable sites can help you understand
the type of licenses in place or the situation
of an artifact:
https://tldrlegal.com/ allows you to search
for the most popular licenses and neither
offers a summary
https://choosealicense.com/ supports you in
choosing a license for your project, looking
at the surrounding conditions
https://clearlydefined.io proposes an
assessment of the clarity of the artifacts /
projects highlighting their licenses,
correlations and defects in the metadata
accompanying them
45. 45
Initiatives related to the Licensing topic
Open Source Initiative for OSI Approved
License List (
https://opensource.org/licenses/category)
SPDX initiative dedicated to the definition of
a standard format for the provision of license
information in open source software (
https://spdx.dev/ and
https://spdx.org/licenses/ )
Open Chain initiative dedicated to the
definition of a standard process for Software
Compliance (
https://www.openchainproject.org/ )
46. 46
Initiatives related to the Licensing topic
REUSE initiative dedicated to the definition
of tools and processes to create open source
software with the correct license files (
https://reuse.software/ )
Blue Oak Council initiative dedicated to
supporting understanding of licenses and
compliant use of open source software (
https://blueoakcouncil.org/ )
47. 47
Licensing Compliance: Open Source Projects
https://github.com/nexB/scancode-toolkit
https://github.com/oss-review-toolkit/ort
https://www.fossology.org/
https://github.com/github/licensed
https://github.com/licensee/licensee
https://github.com/pivotal/LicenseFinder
https://github.com/eclipse/antenna (only Java and Node.js)