These are the slides from the keynote entitled 'Open Source Software Licence Compliance: Art or science?' at the OpenChain Summit 2022, presented by Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP.
This document discusses the intersection of blockchain technology, open source software, and patents. Some key points include:
1) Open source licenses can "taint" proprietary software if they are combined, requiring the proprietary software to also be open source. This impacts business models.
2) Open source software can still be patented. Patents are an important issue to consider with open source use and contributions.
3) Certain open source licenses require licensees to grant patent licenses, sometimes broadly, which many organizations do not expect.
4) Asserting patent claims against open source users can trigger penalties under some licenses, such as losing the right to use the open source software.
5) Network access models
The document discusses key elements to consider when choosing a software license for technology transfer. It outlines three main steps: 1) identify any pre-existing contractual constraints on the software; 2) identify any pre-existing code components used in developing the software; and 3) define intended use of the software. The document also provides a case study analyzing these steps for a research lab licensing its software to a mobile network operator. It examines license compatibility issues and offers recommendations like indicating the license clearly in documentation.
The document discusses best practices for managing open source projects, including choosing a name and license, setting up communication channels like mailing lists and version control, managing releases, packaging, and translations. Key aspects are being open and transparent from the start, using tools like wikis to organize documentation, and maintaining a consistent vision to keep developers engaged over time. Managing releases involves numbering schemes, release branches, testing, and supporting multiple versions.
Open source software is growing, especially in IoT, but there is little understanding of license obligations. This presentation provides best practices for using open source software safely and effectively. It discusses open source licenses including GPL, LGPL, MIT and their terms. It emphasizes the importance of compliance to avoid liability issues seen in court cases. Developers must understand which licenses are acceptable and how to identify and address license requirements for all code used.
The document discusses open source GIS software as an alternative to proprietary GIS software. It defines what open source means, including allowing free redistribution, access to source code, allowing modifications, and non-discrimination. It also discusses concerns about open source adoption in government. However, it argues that open source GIS software can meet requirements for fitness of purpose, value for money, and low risk. Choosing sustainable open source projects with large user bases can help minimize risks. Open source GIS software is now mature and interoperable enough to consider for commercial use.
The document discusses conducting four tasks to gain experience with TCP/IP vulnerabilities and attacks. Task 1 involves a TCP SYN flood attack and the SYN cookie countermeasure. Task 2 is a TCP session hijacking attack. Tasks 3 and 4 involve TCP RST attacks against telnet/SSH connections and video streaming applications respectively. The tasks are designed to help understand network security challenges and why defenses are needed by studying past vulnerabilities.
This lab document describes using the Metasploit framework to perform exploits against Windows systems. It consists of six sections: installing Metasploit, adding a remote user to Windows XP, gaining remote command shell access to Windows XP, using DLL injection to open a remote VNC connection, remotely installing a rootkit on Windows, and setting up the Metasploit web interface. The document provides background on exploit frameworks and payloads, and guides students through exercises to complete each section.
This document discusses the intersection of blockchain technology, open source software, and patents. Some key points include:
1) Open source licenses can "taint" proprietary software if they are combined, requiring the proprietary software to also be open source. This impacts business models.
2) Open source software can still be patented. Patents are an important issue to consider with open source use and contributions.
3) Certain open source licenses require licensees to grant patent licenses, sometimes broadly, which many organizations do not expect.
4) Asserting patent claims against open source users can trigger penalties under some licenses, such as losing the right to use the open source software.
5) Network access models
The document discusses key elements to consider when choosing a software license for technology transfer. It outlines three main steps: 1) identify any pre-existing contractual constraints on the software; 2) identify any pre-existing code components used in developing the software; and 3) define intended use of the software. The document also provides a case study analyzing these steps for a research lab licensing its software to a mobile network operator. It examines license compatibility issues and offers recommendations like indicating the license clearly in documentation.
The document discusses best practices for managing open source projects, including choosing a name and license, setting up communication channels like mailing lists and version control, managing releases, packaging, and translations. Key aspects are being open and transparent from the start, using tools like wikis to organize documentation, and maintaining a consistent vision to keep developers engaged over time. Managing releases involves numbering schemes, release branches, testing, and supporting multiple versions.
Open source software is growing, especially in IoT, but there is little understanding of license obligations. This presentation provides best practices for using open source software safely and effectively. It discusses open source licenses including GPL, LGPL, MIT and their terms. It emphasizes the importance of compliance to avoid liability issues seen in court cases. Developers must understand which licenses are acceptable and how to identify and address license requirements for all code used.
The document discusses open source GIS software as an alternative to proprietary GIS software. It defines what open source means, including allowing free redistribution, access to source code, allowing modifications, and non-discrimination. It also discusses concerns about open source adoption in government. However, it argues that open source GIS software can meet requirements for fitness of purpose, value for money, and low risk. Choosing sustainable open source projects with large user bases can help minimize risks. Open source GIS software is now mature and interoperable enough to consider for commercial use.
The document discusses conducting four tasks to gain experience with TCP/IP vulnerabilities and attacks. Task 1 involves a TCP SYN flood attack and the SYN cookie countermeasure. Task 2 is a TCP session hijacking attack. Tasks 3 and 4 involve TCP RST attacks against telnet/SSH connections and video streaming applications respectively. The tasks are designed to help understand network security challenges and why defenses are needed by studying past vulnerabilities.
This lab document describes using the Metasploit framework to perform exploits against Windows systems. It consists of six sections: installing Metasploit, adding a remote user to Windows XP, gaining remote command shell access to Windows XP, using DLL injection to open a remote VNC connection, remotely installing a rootkit on Windows, and setting up the Metasploit web interface. The document provides background on exploit frameworks and payloads, and guides students through exercises to complete each section.
This document discusses changes to Hyper-V virtualization from Windows Server 2008 to 2012. Key changes include the ability to share virtual hard disks between VMs, improved quality of service controls, and more robust resource sharing between host and guest systems. The new features make Hyper-V more reliable and scalable for server virtualization needs over the next 2-3 years.
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
This document discusses the secure software supply chain and current state of the PHP ecosystem. It begins with introductions and defines a software supply chain as a network involved in creating and delivering a product to consumers. It then discusses threats in modern software supply chains like dependencies and demonstrates building a software bill of materials (SBOM) to analyze dependencies. It also covers recent supply chain attacks on PHP infrastructure and tools like Composer and PEAR. Finally, it recommends mitigations like using signed container images to verify integrity and provenance and generating SBOMs to detect vulnerabilities.
The document provides guidance on designing a complex web application by breaking it into multiple microservices or applications. It recommends asking questions about team size, traffic patterns, priorities for speed vs stability, existing APIs or libraries, and programming languages. Based on the answers, it suggests appropriate frameworks, languages, data storage, testing/deployment processes, and server/container management options. The overall goal is to modularize the application, leverage existing tools when possible, and not overengineer parts of the design.
Jack Fletcher discusses how computer hardware, software, networking, and society have shaped the modern world and will continue to do so in the future. He describes how early computers like the Colossus were developed during World War II and how hardware has rapidly advanced, with smartphones now having more power than the computers on Apollo rockets. Fletcher also explains how software is built, different types of software, and how networking allows for file sharing, online gaming, and more. Finally, he discusses how these technologies have transformed daily life and will bring developments like 4K displays, 3D printing, and online streaming.
The document discusses open source software licenses and intellectual property protection when using open source software. It summarizes key open source licenses like GPL, LGPL, and MPL and how they affect proprietary software development. The document also describes how ACCESS Linux Platform is designed to allow both open source and proprietary software while protecting intellectual property through license isolation and the use of MPL for its application framework.
The document describes a travel agency management system that offers the following key features:
- Integrated travel agents located directly in companies to make reservations and issue tickets.
- An electronic booking system that is IATA approved along with state-of-the-art technology.
- Dedicated and bilingual staff that provide personalized service and account management for corporate travel needs.
- One-stop shopping for all travel arrangements along with corporate agreements with airlines.
This document discusses debugging fundamentals and provides an overview of different debuggers. It summarizes how debuggers like Immunity Debugger, WinDbg, and OllyDbg work to test and troubleshoot target programs. The document also introduces security fuzzers and describes how they work with debuggers to detect vulnerabilities by providing unexpected input data to programs and monitoring for exceptions or memory leaks. An example is provided of using the Immunity Debugger and Infigo FTPStress Fuzzer to analyze and attempt to crash an FTP server.
Interoperability refers to the ability of diverse systems and organizations to work together. Key points about file systems include: FAT stores file information in a file allocation table, FAT32 supports smaller clusters and larger volumes than FAT, and NTFS provides advanced features like permissions, encryption, and compression. A hub is a common connection point that copies packets to all ports so all network segments can see traffic. TCP/IP is the set of protocols used for the Internet and similar networks. DHCP dynamically assigns IP addresses and related information to clients to reduce administration workload. Server logs contain error information that can help trace and fix problems. Network documentation should include information about capacity planning and security.
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
The document discusses analyzing malware using static and dynamic analysis techniques. Static analysis involves examining a malware file's code and structure without executing it, using tools like disassemblers and string extractors. Dynamic analysis executes malware in a controlled environment to observe its behaviors and any changes it makes. The document then demonstrates analyzing the "Netflix Account Generator" malware using an isolated cloud sandbox, where it is observed starting child processes and making outbound network connections, suggesting it is a remote access trojan.
Quick introduction to Open Data, Open Source, Open Development for the University of Victoria.
This presentation was part of the LocationTech 2015 Tour.
This document appears to be a thesis submitted by Akash Rajguru for the award of a Bachelor of Engineering (Honours) in Software Engineering at Athlone Institute of Technology. The thesis investigates developing an intrusion detection system with honeypot integration using Java. It will focus on researching concepts of intrusion detection, prevention and honeypots. It will also explore Java libraries to develop a desktop application to help network administrators monitor network traffic and packet flow. The application will allow packet capturing, port scanning, blocking ports, and storing captured data locally and remotely in MongoDB. It will also integrate two honeypot servers to capture hacker information.
Presented by Brooks Kushman and Rogue Wave Software at the Embedded Systems Conference. It provides both legal and practical considerations in developing embedded systems using open source software (OSS). It discusses open source development tools, how to integrate OSS into embedded systems and different OSS licenses, and provide a road map to compliance.
buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. ... Exploiting a buffer overflow allows an attacker to control or crash the process or to modify its internal variables
The document discusses various topics related to system administration including system administrator responsibilities, file systems like NTFS and FAT, networking concepts like VOIP and proxy servers, Windows servers, DHCP, DNS, Active Directory and Group Policy. It provides definitions and explanations of these topics through questions and answers.
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
The document discusses techniques for providing location privacy in sensor networks against a global eavesdropper. It proposes four techniques - periodic collection, source simulation, sink simulation, and backbone flooding - to provide location privacy for monitored objects (source location privacy) and data sinks (sink location privacy). These techniques provide trade-offs between privacy, communication cost, and latency. Analysis and simulation demonstrate that the proposed techniques are efficient and effective for providing source and sink location privacy in sensor networks.
This document discusses changes to Hyper-V virtualization from Windows Server 2008 to 2012. Key changes include the ability to share virtual hard disks between VMs, improved quality of service controls, and more robust resource sharing between host and guest systems. The new features make Hyper-V more reliable and scalable for server virtualization needs over the next 2-3 years.
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
This document discusses the secure software supply chain and current state of the PHP ecosystem. It begins with introductions and defines a software supply chain as a network involved in creating and delivering a product to consumers. It then discusses threats in modern software supply chains like dependencies and demonstrates building a software bill of materials (SBOM) to analyze dependencies. It also covers recent supply chain attacks on PHP infrastructure and tools like Composer and PEAR. Finally, it recommends mitigations like using signed container images to verify integrity and provenance and generating SBOMs to detect vulnerabilities.
The document provides guidance on designing a complex web application by breaking it into multiple microservices or applications. It recommends asking questions about team size, traffic patterns, priorities for speed vs stability, existing APIs or libraries, and programming languages. Based on the answers, it suggests appropriate frameworks, languages, data storage, testing/deployment processes, and server/container management options. The overall goal is to modularize the application, leverage existing tools when possible, and not overengineer parts of the design.
Jack Fletcher discusses how computer hardware, software, networking, and society have shaped the modern world and will continue to do so in the future. He describes how early computers like the Colossus were developed during World War II and how hardware has rapidly advanced, with smartphones now having more power than the computers on Apollo rockets. Fletcher also explains how software is built, different types of software, and how networking allows for file sharing, online gaming, and more. Finally, he discusses how these technologies have transformed daily life and will bring developments like 4K displays, 3D printing, and online streaming.
The document discusses open source software licenses and intellectual property protection when using open source software. It summarizes key open source licenses like GPL, LGPL, and MPL and how they affect proprietary software development. The document also describes how ACCESS Linux Platform is designed to allow both open source and proprietary software while protecting intellectual property through license isolation and the use of MPL for its application framework.
The document describes a travel agency management system that offers the following key features:
- Integrated travel agents located directly in companies to make reservations and issue tickets.
- An electronic booking system that is IATA approved along with state-of-the-art technology.
- Dedicated and bilingual staff that provide personalized service and account management for corporate travel needs.
- One-stop shopping for all travel arrangements along with corporate agreements with airlines.
This document discusses debugging fundamentals and provides an overview of different debuggers. It summarizes how debuggers like Immunity Debugger, WinDbg, and OllyDbg work to test and troubleshoot target programs. The document also introduces security fuzzers and describes how they work with debuggers to detect vulnerabilities by providing unexpected input data to programs and monitoring for exceptions or memory leaks. An example is provided of using the Immunity Debugger and Infigo FTPStress Fuzzer to analyze and attempt to crash an FTP server.
Interoperability refers to the ability of diverse systems and organizations to work together. Key points about file systems include: FAT stores file information in a file allocation table, FAT32 supports smaller clusters and larger volumes than FAT, and NTFS provides advanced features like permissions, encryption, and compression. A hub is a common connection point that copies packets to all ports so all network segments can see traffic. TCP/IP is the set of protocols used for the Internet and similar networks. DHCP dynamically assigns IP addresses and related information to clients to reduce administration workload. Server logs contain error information that can help trace and fix problems. Network documentation should include information about capacity planning and security.
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
The document discusses analyzing malware using static and dynamic analysis techniques. Static analysis involves examining a malware file's code and structure without executing it, using tools like disassemblers and string extractors. Dynamic analysis executes malware in a controlled environment to observe its behaviors and any changes it makes. The document then demonstrates analyzing the "Netflix Account Generator" malware using an isolated cloud sandbox, where it is observed starting child processes and making outbound network connections, suggesting it is a remote access trojan.
Quick introduction to Open Data, Open Source, Open Development for the University of Victoria.
This presentation was part of the LocationTech 2015 Tour.
This document appears to be a thesis submitted by Akash Rajguru for the award of a Bachelor of Engineering (Honours) in Software Engineering at Athlone Institute of Technology. The thesis investigates developing an intrusion detection system with honeypot integration using Java. It will focus on researching concepts of intrusion detection, prevention and honeypots. It will also explore Java libraries to develop a desktop application to help network administrators monitor network traffic and packet flow. The application will allow packet capturing, port scanning, blocking ports, and storing captured data locally and remotely in MongoDB. It will also integrate two honeypot servers to capture hacker information.
Presented by Brooks Kushman and Rogue Wave Software at the Embedded Systems Conference. It provides both legal and practical considerations in developing embedded systems using open source software (OSS). It discusses open source development tools, how to integrate OSS into embedded systems and different OSS licenses, and provide a road map to compliance.
buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. ... Exploiting a buffer overflow allows an attacker to control or crash the process or to modify its internal variables
The document discusses various topics related to system administration including system administrator responsibilities, file systems like NTFS and FAT, networking concepts like VOIP and proxy servers, Windows servers, DHCP, DNS, Active Directory and Group Policy. It provides definitions and explanations of these topics through questions and answers.
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
The document discusses techniques for providing location privacy in sensor networks against a global eavesdropper. It proposes four techniques - periodic collection, source simulation, sink simulation, and backbone flooding - to provide location privacy for monitored objects (source location privacy) and data sinks (sink location privacy). These techniques provide trade-offs between privacy, communication cost, and latency. Analysis and simulation demonstrate that the proposed techniques are efficient and effective for providing source and sink location privacy in sensor networks.
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
The document summarizes the agenda for an Education Work Group call on April 10, 2024. It includes notices about antitrust policies for Linux Foundation meetings and a reminder that activities must comply with applicable competition laws. The document also thanks Nathan and contributors for their work, introduces a new boss, and outlines plans for 2024-2025, which involve continuing work on training slides, reviewing an education leaflet, proposing OpenChain UK education videos, releasing an official SBOM quality reference guide from the Telco Work Group, and creating short explainers to introduce OpenChain within organizations.
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
The document summarizes a meeting of the OpenChain AI Study Group that recapped a previous workshop on AI compliance in the supply chain. It discusses identifying commonalities between AI compliance and the ISO 5230 standard on software supply chain security. It provides examples of reviewing and redlining the ISO 5230 standard and a related thinking document. The document also suggests starting a review of the ISO 42001 standard on AI management systems while noting it is not freely available. It asks if there is any other business and concludes by thanking and saying goodbye to attendees.
OpenChain Monthly Meeting North America and Asia - 2024-03-19Shane Coughlan
The document summarizes the agenda for an OpenChain Monthly North America / Europe Meeting on 2024-03-19. It includes:
1) A notice about complying with antitrust laws and avoiding prohibited discussions.
2) The regular agenda covers sharing news, working on standards and core materials, reference materials, and other business.
3) News items include webinars on GitHub Copilot and export controls, and an OpenChain AI study group call.
4) Work includes discussing issues on the license compliance specification and a security assurance specification on GitHub.
5) Reference and support work involves the OpenChain education study group and supplier education leaflet.
The document discusses antitrust policies for Linux Foundation meetings. It states that Linux Foundation meetings involve competitors and all activities must be in accordance with antitrust laws. Attendees should adhere to meeting agendas and not participate in prohibited activities under antitrust laws. Examples of prohibited actions are described in the Linux Foundation Antitrust Policy available online. Attendees with questions should contact their legal counsel or the Linux Foundation's legal counsel.
openEuler Community Overview - a presentation showing the current scaleShane Coughlan
OpenEuler is an open source operating system that has seen exponential growth, with over 1.3 million global downloads, 900+ enterprise members, and 14,000+ contributors. It aims to be the number 1 server OS by 2023, with 50%+ estimated market share, by providing a versatile and intelligent OS for all scenarios from server to cloud to edge to embedded devices. OpenEuler also has a thriving ecosystem of over 400 innovation projects and many enterprise and community distributions to satisfy diverse industry requirements.
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
The document summarizes the agenda and discussion from an OpenChain AI study group meeting on building trust in the open source AI supply chain. The group discussed defining compliance artifacts and how they can be trusted throughout the supply chain. They also considered what constitutes a high-risk artifact and whether compliance should be based on risk type. Additionally, the group discussed achieving transparency in AI systems as models move towards more closed structures, and how to meet the study group's goals of establishing industry agreements on AI management principles.
AI Study Group North America - Europe 2024-02-06Shane Coughlan
The document summarizes discussions from an OpenChain AI Study Group meeting on anti-trust policy and building trust in the open source AI supply chain. It recaps previous discussions, defines the scope as establishing how to ensure "compliance artifacts" like data cards and model cards can be trusted throughout the supply chain. It also lists AI regulatory frameworks and discusses using cases like delivering pre-trained models or datasets. The appendix section asks for any other business and recaps goals of establishing industry agreements on AI management and developing principles for transparency and bias.
OpenChain Monthly North America / Europe Call - 2024-02-06Shane Coughlan
The OpenChain monthly meeting covered the following topics:
1) An announcement about upcoming OpenChain elections for working group chair positions and the process for nominations and voting.
2) An update on recent and upcoming calls for the AI Study Group exploring how to build trust in the open source AI supply chain.
3) A discussion of open issues for the ISO security and licensing standards being developed by OpenChain.
4) An early proposal to develop an OpenChain contribution process specification and a link to the draft document and issues.
5) An update that the OpenChain reference training slides are being finalized this week.
6) A summary of a recent Legal Work Group meeting on maturity models
OpenChain Export Control Work Group 2024-01-09Shane Coughlan
This document summarizes an OpenChain Export Control meeting that will take place on January 9, 2023. It includes an anti-trust policy notice reminding participants that Linux Foundation meetings must comply with antitrust laws. The agenda has two items: discussing how the SPDX project's proposed operations profile and export control schema can help with export control work, and reviewing the status of a stalled crypto law survey book to decide how to move it forward.
The document summarizes a meeting of the OpenChain Legal Work Group that discussed maturity models for assessing competence in open source management. It includes:
- An overview of the meeting agenda which focused on a presentation by Andrew Katz of Orcro about their open source maturity model based on ISO/IEC 5230:2020.
- A high-level explanation of capability maturity models and OpenChain's potential as a framework for defining requirements and mapping them to maturity levels for different business functions.
- An example assessment of the maturity of an organization's people, processes, information, and systems for generating software bill of materials, mapping it to relevant ISO requirements.
The document summarizes an agenda for an OpenChain AI Study Group meeting. It begins with a notice about complying with antitrust laws during Linux Foundation meetings. The agenda then lists the meeting setup and format as the first item, followed by a discussion of goals for the study group around establishing industry agreements on AI management, developing AI principles for supply chain trust, and discussing AI ethics. It poses achieving the goals through weekly meetings and commitment to progress. It concludes by opening the floor for any other business.
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...Shane Coughlan
The document summarizes Aliens4friends, an Eclipse project that provides tooling for open source license compliance in the Oniro operating system. It discusses key principles of automating compliance work while enabling sustainable human review through reuse. The toolchain gets original source code from the build system, matches components to Debian's reviews, monitors the audit process, and provides a dashboard for visualization. The goal is to implement continuous compliance as a core part of the development workflow.
Maturity Models - Open Compliance Summit 2023Shane Coughlan
The document discusses a capability maturity model (CMM) for assessing the maturity of an organization's open source software development practices. It presents a five-level maturity framework from initial to optimizing and maps out how capabilities could be assessed across four categories: people and organization, processes, information, and systems. The CMM is aligned with requirements in the OpenChain specification and ISO 5230 standard to provide a potential framework for determining an organization's open source compliance maturity.
The key strategic goals of the governing board were met over the past year. Several metrics related to standards adoption and conformant programs increased substantially, such as a 22% rise in ISO/IEC 5230 conformant programs and a 500% increase in ISO/IEC 18974 conformant programs. The partner program also expanded in various categories. Future standards developments are being discussed, including proposed updates to the existing standards and new specifications related to contributions and SBOM quality.
The presentation deals with the concept of Right to Default Bail laid down under Section 167 of the Code of Criminal Procedure 1973 and Section 187 of Bharatiya Nagarik Suraksha Sanhita 2023.
Reviewing contracts swiftly and efficiently is crucial for any organization. It ensures compliance, reduces risks, and keeps business operations running smoothly.
A Critical Study of ICC Prosecutor's Move on GAZA WarNilendra Kumar
ICC Prosecutor Karim Khan's proposal to its judges seeking permission to prosecute Israeli leaders and Hamas commanders for crimes against the law of war has serious ramifications and calls deep scrutiny.
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...AHRP Law Firm
Law Number 13 of 2003 on Manpower has been partially revoked and amended several times, with the latest amendment made through Law Number 6 of 2023. Attention is drawn to a specific part of the Manpower Law concerning severance pay. This aspect is undoubtedly one of the most crucial parts regulated by the Manpower Law. It is essential for both employers and employees to abide by the law, fulfill their obligations, and retain their rights regarding this matter.
Open Source Software Licence Compliance: Art or science?
1. Open Source Software Licence Compliance:
Art or science?
Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP
2. The goal for OSS licence compliance…
• Tooling which
• Knows all the components you are using;
• Knows exactly which licence is applicable to each component (including exceptions);
• Can automatically generate a complete set of compliance artefacts;
• Understands the terms you are trying to out-license on;
• Understands the use case (distributable, app store, SaaS, containerized, embedded);
• Generates build scripts and installation instructions where necessary;
• Suggests remediation for potential problems;
• Provides a repository which contains a set of pre-approved components;
• Won’t allow/generates an error on build for non-compliance components.
3. The goal for OSS licence compliance…
• Component sources which
• Correctly identify the applicable licences
• Correctly identify relevant dependencies
• Correctly identify relevant dependencies for that particular build configuration
• Have a reference implementation with correct compliance artefacts
• We are confident do not have included code from elsewhere
• Contain easily machine readable metadata covering the above
4. Challenges
• The scale of the problem. An embedded system may contain over 100k
components.
• Legacy code does not use SPDX/REUSE etc. Much is being retrofitted, but
sometimes it’s impossible.
• Technology develops faster than compliance. Law develops slower than both
• Containerization: where are all the components coming from?
• Orchestration (e.g. Kubernetes) compounds this
• What is “distribution”?
• If you are not distributing to your client, but Docker is (for example), who must comply?
• What about secondary liability?
• An outsourced developer will frequently provide the compliance artefacts
necessary to distribute the software to you….but insufficient information for you
to distribute to your end users.
5. Real issues: examples from Linux Kernel
File: arch/m68k/mac/config.c
* Much of this was defined by Alan, based on who knows what docs.
File: arch/arm/kernel/sys_arm.c
* Copyright (C) People who wrote linux/arch/i386/kernel/sys_i386.c
(The file sys_i386.c no longer exists in the source tree.)
File: drivers/staging/rtl8192e/rtllib_softmac.c
* WPA code stolen from the ipw2200 driver.
* Copyright who own it's copyright.
File: drivers/staging/rtl8192e/rtllib_softmac_wx.c
* Some pieces of code might be stolen from ipw2100 driver
* copyright of who own it's copyright ;-)
6. Real issues: examples from Linux Kernel
File: arch/alpha/kernel/smc37c669.c
* This software is furnished under a license and may be used and copied...
(No licence is specified - hopefully it is compatible with the GPL)
Some typically unclear attributions/copyright notices:
File: arch/powerpc/platforms/chrp/pegasos_eth.c
* And anyone else who helped me on this
(Following a set of attributions)
File: arch/um/drivers/daemon_kern.c
* Copyright (C) 2001 by various other people who didn't put their name here.
7. Real examples: GPL Overreach
SQLMap: GPL, but with an extended definition of “derivative work”
which includes any software which
* Executes sqlmap and parses the results (as
opposed to typical shell or execution-menu apps,
which simply display raw sqlmap output and so
are not derivative works).
8. Code interaction – 3 axes of compliance
To what extent must GPL code interact with other code to trigger the
requirement for the other to be released under GPL?
1. How closely are the components combined?
2. How is the code delivered (distributed) to the user?
3. What sort of interface does the interaction use?
9. How closely are the components combined?
a. running the two components on separate computers
b. running the two components separate virtual machines
c. running the two components in separate threads or processes
d. running the two components sequentially in the same thread or process (e.g. as a plug in)
e. running the two components dynamically linked
f. running the two components statically linked
g. combining the two components by inserting code from one into the other (e.g. copypaste)
10. How is the code delivered to the user?
a. two components delivered separately at separate times, downloaded initiated by end-user
b. two components delivered at the same time, with end-user explicitly accepting download of the copyleft
component
c. two components delivered simultaneously without the end-user’s explicit involvement, but are clearly
separable within the package downloaded
d. two components delivered simultaneously and pre-linked
e. two components merged into one, inseparably.
11. How do the components communicate?
a. two components communicate through command-line interface or some form of pre-existing inter process
communication (e.g. SMTP, or pipes)
b. two components communicate through an API which is publicly published and which pre-exists the copyleft
component
c. two components communicate through an API which is private but which can be demonstrated to pre-exist
the copyleft component
d. two components communicate through an API defined by the copyleft component
e. two components are dynamically linked
f. two components are statically linked
g. two components are combined into a single executable, inseparably
12. So, do we need to apply GPL or not?
1. Establish how the interaction operates on all 3 axes.
2. The higher up the list the interaction is, in each case, the less is the
likelihood of the problem.
3. Architect your application with this in mind.
4. This is not only a question of minimizing the possibility that you are
infringing GPL (which is something only a judge can decide). It’s also
about making it more difficult for a copyright holder to claim that
you are.
13. General issues here:
1. The scope of secondary copyright liability (if I encourage, or provide instructions to, or automate a process
which means that I am not distributing the code, but the end-user is, am I liable for secondary copyright
liability?)
2. Is this true, even if what the end-user is doing is perfectly lawful in itself?
3. (Note: there are several, mainly US cases around Napster and Grokster etc.
4. Thought experiment: it was revealed some years ago that certain Intel CPUs contain a Management Engine
running a variant of Minix.
1. If that software contained infringing components, could you, as the person owning and switching on the computer, be held liable?
2. Liability for copyright infringement is not dependent on knowledge or intent. Knowing about the IME, is that fair?
5. Conclusion: the main area where compliance is not being helped, is the law
14. Where to go from here?
1. Make it easier to find components with known licences, and better-
defined dependencies
- SPDX, REUSE, GitHub Licence Chooser
2. Clarify existing licence terms for older components
- Please relicense to better known licences (and not to fauxpen licences)
- Make the licensing information more consistent (e.g .Maven Central Repository)
3. Provide reference implementations, and example compliance materials
- OpenChain, Oniro
4. But what about the law?
15. Blue Sky?
How licensing works (in theory):
• Developer A decides what rights they want to grant users, for all possible
use cases.
• Developer A works with legal advisers to either select a licence or draft a
new one (!)
• B decides they want to use A’s code, reads the licence (possibly with the
help of the legal department).
• B uses the code.
• A thinks that B is infringing. An argument involving lawyers ensues.
• A judge decides who’s right.
16. Blue Sky?
How licensing works (in practice):
• Developer A decides to write some software, and wants to open source it
• A (hopefully) picks an existing licence which seems to do what they want,
for most use cases. Possibly with the help of the legal dept.
• B decides they want to use A’s code, and uses it in a way which is generally
understood as acceptable (possibly with the help of the legal department).
• B uses the code.
• A thinks that B is infringing. An argument involving lawyers ensues.
• A judge, who probably doesn’t know about FOSS decides who’s right.
17. Ultimately…
A developer may have a pretty good idea of what permissions they
want attached to their code, and what outcome they want for certain
code combinations….
… but that clarity will be destroyed because the message is filtered
through lawyers, the uncertain legal system (which differs between
jurisdictions) and the ultimate arbiter is a judge, who may well know
nothing about FOSS.
18. Is there a solution?
• The law already acknowledges that the legal rights and obligations can be
created without using natural language (e.g. derivatives).
• Is it possible to remove the requirement that natural language is the only
medium by which the rights and obligations of FOSS licences can be
determined?
• Can developers select a set of rights they want to apply to their code, and
then an agreed algorithm determines how software interactions and
compliance materials must be generated?
• Can compliance (or at least a subset of it) become deterministic?
• This won’t be perfect, but a developer may well settle with it being right
95% if the time.
19. Such an algorithm…
• Must provide consistent and reproducible results.
• Must have a mechanism for being updated as practice evolves.
Challenges
• How to deal with fair use/fair dealing?
• As law becomes code (in the Lessig sense) how do we guard against
bad actors manipulating governance or the algorithm.
• How do we transition existing code into the algorithmic licence?
20. Conclusion
• Compliance is getting more complex as the sheer number of
components increases.
• New technologies (containerization etc.) compound this
• Compliance MUST be automated. There is great progress in this area.
OpenChain, SPDX, REUSE frameworks, and technology from
FOSSology, Scancode, SW360 and many more, including proprietary
vendors, are making huge strides.
• However, compliance is still, in part, an art, not a science.
• The essence of open source is reducing friction. Can we reduce
friction further by looking at the licensing process itself?
21. Open Source Software Licence Compliance:
Art or science?
Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP