Introduction of foss license & fos sology 20130911_v2

Jan. 2012
Introduction of
Free/Open-source Software License
and FOSSology
Ryan Cho
JNR321
2013/09/11

Outline
Preface
Free/Open Source License
 History
 Basic Concept
 License Categories
 BSD/MIT, GPL/LGPL, MPL
FOSSology
 Introduction
 Result of License Scanning
Conclusion
Reference

3
Confidential Material for Internal Use Only
Preface
How do we programming?

4
Preface

5
Preface
Download
&
Combine

6
Preface
Open Source
≠
Development
Methodology

7
Preface
Open Source
=
License

9
Free Open Source License - History
Free Software
coined in 1985 by Richard M. Stallman
GNU operating system began in January 1984
Free Software Foundation (FSF) was founded in
October 1985
Moral and Spirit as keynote

10
Free Open Source License - Basic Concept
Spirits of Free Software
Four Freedoms
 Freedom to run the program
 Freedom to study and adapt the program
 Freedom to redistribute
 Freedom to improve and feedback community

11
Free Open Source License - History
Open Source Software
Bruce Perens & Eric Steven Raymond
Open Source Initiative (OSI) 1998
Eclecticism (折衷主義)、Commercial Thinking
Quality as keynote

12
Definition of Open-source Software
Six Common Features
 Open source code
 No specific authorization object
 No restrictions on used region
 No fee for license
 No accompanying with guarantee
 Provide derivative works to others

13
Free Software
Open Source Software, OSS
Free/Open Source Software, FOSS
Free/Libre/Open Source Software, FLOSS

14
Similar terms
Freewave (免費軟體)
 Free to use, no source code
Shareware (共享軟體)
 Usually free to use with time or features limitation, no source code
 Commercial version for sale
Public Domain (公共財軟體)
 intellectual property rights have expired, have been forfeited, or are inapplicable.

15
Free Open Source License Categories
Different contents of free license terms
Proprietary
Software
License
GPL LGPL
AGPL
EPL/CPL
MPL/CDDL
Apache
2.0
MIT/BSD
Public
Domain

16
License Categories – BSD/MIT
Copyright (c) <year>, <copyright holder>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the <organization> nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (C) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software
and associated documentation files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or
substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
BSD
MITC
D
C
D

17
C + D
C: Copyright Notice (著作權聲明)
D: Disclaimer (免責聲明)
Users have large scale of usage rights and small amount of obligations
Suggestion to be marked at
Source code
 Files: README, LEGAL, LICENSE
Application
 “About” label
Embedded system devices
 User manual

18

19
Free Open Source License
Copyleft
Achieve four freedoms
Copyright-based
Pre-authorize out the rights
Users need to authorize their works with the same method
Open my source code for you
to modify, you need to open
yours with the same rules
Authorization
constraints

20
License Categories - GPL
GNU General Public License v. 1 (1989)
Authorization constraints
Viral Effect(授權感染性)
License Capture(授權獲取性)
License Reciprocal(授權互惠性)
License Inheritance(授權繼承性)
Freedom, Sharing, Reciprocal. We always have to DO this!

21
GPL Schematic diagram
GPL Program
New Program
Modified or
Linking
GPL Program

22
Works Based on the Program
1. Modified
 A (GPLed) --> A’(GPLed)
2. Used
 A + B-portion (GPLed) --> A’(GPLed)
3. Linking
 A + B (GPLed) --> C (GPLed)

23
License Categories – GPL
GPL authorization constraints
A
GPLed A Program B Program
B
Object code
Source code
C
Want to modify
Provide
object code
Ask for
source code
B has obligation to
provide source code to
C
Distribution!!!

24
License Categories – GPL
GPLv2 vs. GPLv3
Principle: Incompatible with each other
 Internationalization: v3 used new terminology, rather than using language tied to
US legal concepts
 Patents: v3 specifically address patents
 “Tivo-ization”: v3 address the restrictions (like Tivo’s) in consumer products that
take away, though hardware, the ability to modify the software
– DRM: v3 address digital rights management
 Termination: v3 addressed specifically what happens if the license is violated and
the cure of violations
Exception
 “GPL version 2 or later” → “GPLv3”
Matrix of GPL compatibility
 All Compatibility of GPL

25
License Categories - LGPL
GNU Lesser General Public License v. 2 (1991)
GNU Lesser General Public License v. 2.1 (1999)
GNU Lesser General Public License v. 3 (2007)
GNU Library General Public License

26
LGPL Schematic diagram
LGPL Library
New Library
Modified
LGPL Library

27
LGPL Schematic diagram
LGPL Library
New Program
Linking
New Program

28
Works Based on the Program
1. Modified
 A (LGPLed) --> A’(LGPLed)
2. Used
 A + B-portion (LGPLed) --> A’(LGPLed)
3. Linking
 A + B (LGPLed) --> A + B (LGPLed)

29
License Categories – GPL/LGPL
Opening of GPL authorization constraints
Criteria: Distribution behavior
Occurred obligation: Provide source code
No distribution behavior, no source code providing
 ASP (Application Service Provider)
– Does not be restricted by GPL

30
License Categories – AGPL
AGPL
AGPL-3.0, GNU Affero General Public License 3.0
 ASP (Application Service Provider)
 Provides network services = distribution behavior, you must provide source code
 Except the term XIII, the others is the same as GPLv3

31
License Categories - AGPL
AGPL Schematic diagram
AGPL Program
New Program
Combined /
Closely related
AGPL Program

32
License Categories – GPL/LGPL

33
License Categories - MPL
Mozilla Public License 1.1
Common Development and Distribution License 1.0
Common Public License 1.0 / Eclipse Public License 1.0

34
MPL Schematic diagram (File-separated)
MPL Program
X
Y
Y
X
X
X
X
Y
Y
Y X
MPL Program
MPL License
X License
Y License
Compatibility between the License Terms

35
MPL authorization constraints
Partial constraints
Copyleft only for original scope of authorization
 Do not affect to infect my codes
MPL/CDDL (Files)
 Object files comes from MPL/CDDL files need to use MPL/CDDL
 Our own source code is up to ourselves
EPL/CPL (Modules)
 Our own Independent module is up to ourselves

36
License Categories – MPL/CDDL

37
License Categories
Different Marker, Different Purpose
BSD - Academic institutions - Reputation
GPL - Software Developers - Research
Others - Commercial - Benefit

38
FOSS License Categories
Common License Term Sheet
Categories License Terms Full Name
BSD class Apache 1.1 Apache Software License 1.1
Apache 2.0 Apache License 2.0
BSD New BSD License
MIT MIT License
Zlib/libpng Zlib/libpng License
GPL class GPL GNU General Public License 2.0/3.0
LGPL GNU Lesser Public License 2.1/3.0
AGPL GNU Affero Public License 3.0
Other class CPL/EPL Common Public License 1.0 / Eclipse Public License 1.0
MPL Mozilla Public License 1.1
CDDL Common Development and Distribution License 1.0
QPL Qt Public License 1.0
Artistic 2.0 Artistic License 2.0

39
FOSS License Compatibility
An arrow from box A to box B
We can combine software with these licenses
Combined result - effectively has the license of B, possibly with additions
from A
A B

40
FOSS License Compatibility (in Principle)
Is it possible to exist different licenses in one program?
◎: it is compatible, it can exist two types of license at the same time
◇: it is compatible, but replaced by Green item and eliminated Blue item
△: it is compatible, this is special coexisted case for MPL and GPL
X: it is not compatible
GPL MPL BSD Specific
GPL × × ◇ ×
MPL △ ◎ ◎ ◎
BSD × ◎ ◎ ◎
Specific × ◎ ◇ Agreement

42
Introduction
FOSSology (http://fossology.org)
an open source compliance toolset that provides license and copyright
discovery
Goal: Create a public open source software repository together with tools to
maintain the repository and facilitate analysis, storage, and sharing of
metadata
Find and manage licenses in code base
Hewlett Packard (HP) initiate FOSSology.
Open Source Project - FOSSology Team
Using FOSSology
Installation - http://fossology.org/download
Offical demo server at http://repo.fossology.org

43
How FOSSology Works
Web GUI Repository
PostgreSQL Agents
files
store
scan
store result
report
FOSSology

44
Snapshot - Homepage
Menu

45
Snapshot - Upload
select folder
URL
select analysis

46
Snapshot - Scanning Process
Scanning process
1. Log into the FOSSology UI
2. Upload compress file by localhost or URL into FOSSology
3. After uploading finish, FOSSology scheduled this new job
4. Job9 - Job11 is processed in sequence
5. Job 12 - Job15 is processed concurrently
– Job 12: Copyright/Email/URL Analysis
– Job 13: MIME-type Analysis (Determine mimetype of every file)
– Job 14: Nomos License Analysis
– Job 15: Package Analysis (Parse package headers)

47
Snapshot - Scanning Result
Example
 package name: inadyn

48
Open Source Software Analysis Tools
FOSSology Black Duck Palamida
Penetration Developed and used by HP Used By Intel, Samsung, AIRBUS Used By IBM, Borland, eclipse
Maturity of software
Released in 2008, currently at
version 2.0.0
Existed since 2002 Developed since 2003
Technologies used
Includes a full web UI using PHP and
postgresql. It also includes CLI.
Unknown Java
Cost Open Source Paid for service Paid for service
Portability Web application Web application Web application
License GPLv2 / LGPL for some libraries None (Commercial) None (Commercial)
Functions
• Upload software file or any kind of
compressed package.
• Find licensees in all files based on
their license headers
• Find copyright notices in all files
•Put files in buckets, for example a
GPL bucket
• Does not do any analyze according
to a policy for which licenses to use.
• Searches files for licenses based
on license text
•Searches files for licenses based
on method context
• Find license incompatibilities in
FOSS
• Supports SPDX
• Find vulnerabilities in the FOSS
used
• Searchable codebase for finding
proper FOSS
• Black Duck releases updates
every 3-4 weeks of their
KnowledgeBase
• Analyze headers for licenses
• Analyze files or chunks of code
against a global database
consisting of open source
software to find undocumented
FOSS.
• Scans and finds vulnerabilities
as well as licenses

49
Conclusion
According to the scanning result, there are some license types
need to take care
GPL-related License
See-doc (OTHER)
Possible solutions
Otherwise authorized by original author
Replace GPL-related package
Release GPL-related partial code
Rewrite code
Check License before Using!
Standing upon the shoulders of giants to develop!

50
Reference
Wikipedia
Free Software
Open-source Software
GNU General Public License
BSD License
Software License Introduction
軟體的授權觀念與自由軟體授權條款介紹
OpenFoundary – FOSSology
授權條款比較表(原始修改程式)
GPL FAQ

Introduction of foss license & fos sology 20130911_v2

Introduction of foss license & fos sology 20130911_v2

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Viewers also liked

Viewers also liked (20)

Similar to Introduction of foss license & fos sology 20130911_v2

Similar to Introduction of foss license & fos sology 20130911_v2 (20)

Recently uploaded

Recently uploaded (19)