The document discusses licensing challenges in composite open source software projects. It defines genesis projects which contain only original content without third party code, and composite projects which contain both original and third party code. Licensing in composite projects can be complex as there may be multiple licenses at the project, subfolder, and file levels, and licenses may be incompatible. Careful review is needed to understand the full scope of licenses and ensure compliance.

1. Licensing in Composite Projects
Protecode Webinar Series
December 2014
Confidential Protecode Inc. 2014 1

2. Confidential Protecode Inc. 2014
Agenda
 Open Source Software Adoption and Creation
 OSS Structure: Genesis vs Composite Projects
 Licensing in Composite OSS Projects
 Examples
 Wrap-up and Q/A
2
Tiberius Forrester,
Director, Solution
Architecture
tforrester@protecode.com

3. OSS Market Penetration
Confidential Protecode Inc. 2014
 Unstoppable growth
– 85% industry adoption (Gartner 2008)
– 98% worldwide adoption (Accenture 2010)
– 99% worldwide adoption (By 2016, Gartner)
 Adoption at various levels
– Organizational level
– Personal level
 Not a niche play
– Automotive, healthcare, financial
– Cloud, mobile, database, security
– Gaming, tools, imaging, aerospace
– Anything that includes any code!
3

4. Open Source Software
Confidential Protecode Inc. 2014
 What is OSS
– A software development and distribution model where software license
guarantees certain freedoms
– Also see OSI definition (http://opensource.org)
 The value
– Faster, functions, easier integration and customisation
– Interoperability, adoption of open standards
– No license costs
– Freedom from vendor lock ins
– Allows rapid development of complex software systems
– Hundreds of thousands of projects available
• Protecode GIPS Statistics:
– 2.2M packages,
– 0.5B OSS files
– 20B lines of code!
4

5. Adoption in Technology Organizations
 Organizations and OSS
Confidential Protecode Inc. 2014
– Risk assessment
• Risk of being involved vs risk of not being involved
– Consideration -> Adoption -> Integral part of business
 The most common factors affecting use of OSS in software
projects
– Concerns regarding intellectual property / licensing
– Concerns regarding the security of the software
– Service & support
– Product capabilities/maturity
– Difficulty of adoption / integration
– Software quality – end user satisfaction
– Software enhancements – innovation over time
– Viability of the open source community
5

6. Licensing challenges of OSS
 Produced by large number of developers over time
– Bazaar model: policy of fast and frequent releases, release
candidates, possibility of governance impairments
 Questionable due diligence efforts of committers
– Re-licensing efforts may not have been correctly handled
Confidential Protecode Inc. 2014
 Code may:
– Contain nested packages with their own set of issues
– Contain code from books or community websites
– Implement patents
– Implement specifications that are subject to a license
– Contain code generated by a tool where the output could
be a derivative of input
– Contain or implement APIs that may have their own
obligations
6

7. OSS Project Communities
 Provide support infrastructure
– Organizational, legal and in most cases financial
• Funding through membership fees
Confidential Protecode Inc. 2014
 Examples:
– Linux Foundation
– Apache Software Foundation
– Eclipse Foundation
– Mozilla, Openstack, Django, Internet System Consortium (BIND
project), OpenLDAP, Drupal, Postgres, OpenSSL
 Established processes for
– Defining governance & policies
– Managing collaboration, security, documentation, conflicts
 Generally associated with continuous innovation, trusted
licensing, peer-reviewed quality
7

8. OSS Project Types
Confidential Protecode Inc. 2014
 Genesis
– Homogenous licensing
– Original content, no 3rd party included in packages
Example: log4j
 Composite
– Mixed or homogenous licensing
– Some original content, some 3rd party
Example: Vaadin
 Distributions
– Mostly mixed licensing
– Mostly repackaged 3rd party
– Generally well structured, many packages
Example: 4MLinux
8
lib

9. Licensing in Composite Projects
Confidential Protecode Inc. 2014
 Project license
– A top level license, or top level document listing applicable licenses
– Look for website information, LICENSE, COPYING, or README files
 Subfolder licenses
– Indicate sub-level OSS projects
– Not always present
 File licenses
 Exceptions: subfolder holding binaries or libraries
– Generally do not have a license document
– You are on your own to determine the binary or library licenses
 Beware: binaries may expand into many subcomponents
– With their own (hidden or undeclared) licenses
9

10. Licenses and Copyrights in Headers
Confidential Protecode Inc. 2014
10
Source: analysis of 0.5 Billion OSS files in
Protecode GIPSTM Database

11. Project and License Mixes
Confidential Protecode Inc. 2014
11
Percentage of OSS packages and variety of licenses mentioned in the
file headers

12. License Compatibility
 Licenses with unacceptable terms
 Licenses with conflicting terms
– Not all licenses are compatible
– Example: GPL (and its varieties) are incompatible with most other
licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)
Confidential Protecode Inc. 2014
12

13. Copyleft vs Permissive Licenses
Confidential Protecode Inc. 2014
13

14. Composite Project 1
 Grails (www.grails.org)
– Open source web application framework
Confidential Protecode Inc. 2014
14

15. Composite Project 2
 PhantomJS (BSD licensed, but includes QT, and other
LGPL licensed libraries)
Confidential Protecode Inc. 2014
15

16. Composite Project 3
 OggCodecs – Directshow filters for Ogg Vorbis
 Package analysed: 0.61.7571
Confidential Protecode Inc. 2014
16

17. More details in “flac” subfolder …
Confidential Protecode Inc. 2014
 Care must be taken to
– investigate the whole package permissions,
– remove unnecessary files, or
– use later versions
17

18. Confidential Protecode Inc. 2014
Wrap up
18
 If you do not use open source software, you will be left out
– Managed adoption of open source software
 Open source projects are composite projects
– … unless proven otherwise
– Declared licenses may not match the visible, or hidden, sublicenses
 OSS packages released by formal OSS communities are preferred
 Compliance requires
– Knowledge of what OSS packages are used
– Access to OSS package, its licenses, description and notes
– Scanning of the package, determination of its composite nature, declared and
hidden licenses
– Ensuring the terms of the sublicenses are compatible and acceptable.
– Removing any component that is not needed
 Prevention works better than correction
– Package pre-approval, due diligence during development, and at build time

19. About Protecode
 Open source compliance and security vulnerability management
Confidential Protecode Inc. 2014
solutions
– Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
– www.Protecode.com
 Accurate, usable and reliable products and services for organizations
worldwide
19

20. Confidential Protecode Inc. 2014
Q/A
20

21. Because Code Travels
www.protecode.com
Confidential Protecode Inc. 2014