Project Based Learning (A.I).pptx detail explanation
Licensing in Composite Projects
1. Licensing in Composite Projects
Protecode Webinar Series
December 2014
Confidential Protecode Inc. 2014 1
2. Confidential Protecode Inc. 2014
Agenda
Open Source Software Adoption and Creation
OSS Structure: Genesis vs Composite Projects
Licensing in Composite OSS Projects
Examples
Wrap-up and Q/A
2
Tiberius Forrester,
Director, Solution
Architecture
tforrester@protecode.com
3. OSS Market Penetration
Confidential Protecode Inc. 2014
Unstoppable growth
– 85% industry adoption (Gartner 2008)
– 98% worldwide adoption (Accenture 2010)
– 99% worldwide adoption (By 2016, Gartner)
Adoption at various levels
– Organizational level
– Personal level
Not a niche play
– Automotive, healthcare, financial
– Cloud, mobile, database, security
– Gaming, tools, imaging, aerospace
– Anything that includes any code!
3
4. Open Source Software
Confidential Protecode Inc. 2014
What is OSS
– A software development and distribution model where software license
guarantees certain freedoms
– Also see OSI definition (http://opensource.org)
The value
– Faster, functions, easier integration and customisation
– Interoperability, adoption of open standards
– No license costs
– Freedom from vendor lock ins
– Allows rapid development of complex software systems
– Hundreds of thousands of projects available
• Protecode GIPS Statistics:
– 2.2M packages,
– 0.5B OSS files
– 20B lines of code!
4
5. Adoption in Technology Organizations
Organizations and OSS
Confidential Protecode Inc. 2014
– Risk assessment
• Risk of being involved vs risk of not being involved
– Consideration -> Adoption -> Integral part of business
The most common factors affecting use of OSS in software
projects
– Concerns regarding intellectual property / licensing
– Concerns regarding the security of the software
– Service & support
– Product capabilities/maturity
– Difficulty of adoption / integration
– Software quality – end user satisfaction
– Software enhancements – innovation over time
– Viability of the open source community
5
6. Licensing challenges of OSS
Produced by large number of developers over time
– Bazaar model: policy of fast and frequent releases, release
candidates, possibility of governance impairments
Questionable due diligence efforts of committers
– Re-licensing efforts may not have been correctly handled
Confidential Protecode Inc. 2014
Code may:
– Contain nested packages with their own set of issues
– Contain code from books or community websites
– Implement patents
– Implement specifications that are subject to a license
– Contain code generated by a tool where the output could
be a derivative of input
– Contain or implement APIs that may have their own
obligations
6
7. OSS Project Communities
Provide support infrastructure
– Organizational, legal and in most cases financial
• Funding through membership fees
Confidential Protecode Inc. 2014
Examples:
– Linux Foundation
– Apache Software Foundation
– Eclipse Foundation
– Mozilla, Openstack, Django, Internet System Consortium (BIND
project), OpenLDAP, Drupal, Postgres, OpenSSL
Established processes for
– Defining governance & policies
– Managing collaboration, security, documentation, conflicts
Generally associated with continuous innovation, trusted
licensing, peer-reviewed quality
7
8. OSS Project Types
Confidential Protecode Inc. 2014
Genesis
– Homogenous licensing
– Original content, no 3rd party included in packages
Example: log4j
Composite
– Mixed or homogenous licensing
– Some original content, some 3rd party
Example: Vaadin
Distributions
– Mostly mixed licensing
– Mostly repackaged 3rd party
– Generally well structured, many packages
Example: 4MLinux
8
lib
9. Licensing in Composite Projects
Confidential Protecode Inc. 2014
Project license
– A top level license, or top level document listing applicable licenses
– Look for website information, LICENSE, COPYING, or README files
Subfolder licenses
– Indicate sub-level OSS projects
– Not always present
File licenses
Exceptions: subfolder holding binaries or libraries
– Generally do not have a license document
– You are on your own to determine the binary or library licenses
Beware: binaries may expand into many subcomponents
– With their own (hidden or undeclared) licenses
9
10. Licenses and Copyrights in Headers
Confidential Protecode Inc. 2014
10
Source: analysis of 0.5 Billion OSS files in
Protecode GIPSTM Database
11. Project and License Mixes
Confidential Protecode Inc. 2014
11
Percentage of OSS packages and variety of licenses mentioned in the
file headers
12. License Compatibility
Licenses with unacceptable terms
Licenses with conflicting terms
– Not all licenses are compatible
– Example: GPL (and its varieties) are incompatible with most other
licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)
Confidential Protecode Inc. 2014
12
17. More details in “flac” subfolder …
Confidential Protecode Inc. 2014
Care must be taken to
– investigate the whole package permissions,
– remove unnecessary files, or
– use later versions
17
18. Confidential Protecode Inc. 2014
Wrap up
18
If you do not use open source software, you will be left out
– Managed adoption of open source software
Open source projects are composite projects
– … unless proven otherwise
– Declared licenses may not match the visible, or hidden, sublicenses
OSS packages released by formal OSS communities are preferred
Compliance requires
– Knowledge of what OSS packages are used
– Access to OSS package, its licenses, description and notes
– Scanning of the package, determination of its composite nature, declared and
hidden licenses
– Ensuring the terms of the sublicenses are compatible and acceptable.
– Removing any component that is not needed
Prevention works better than correction
– Package pre-approval, due diligence during development, and at build time
19. About Protecode
Open source compliance and security vulnerability management
Confidential Protecode Inc. 2014
solutions
– Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
– www.Protecode.com
Accurate, usable and reliable products and services for organizations
worldwide
19