This document discusses open source software licensing and how to identify license information within software packages. It explains that licensing matters due to copyright laws and open source license obligations. License information can be found in source code files, license files, readmes and externally. Tools are available to help scan software and identify licenses, but they have limitations so manual review is also needed. Common licensing issues include ambiguous or missing licenses, business model incompatibilities, and attribution obligations. Resources for further information on open source licensing are provided.

1. Protecode Inc. 2014
Where’s the License?!?
June 18th 2014
1

2. Protecode Inc. 2014
Agenda
 Why Licensing Matters
 What defines Free and Open Source Software
 Where to look
 What to do with licenses found
 Tools and Resources
 Q & A
2
Normand Glaude,
COO, Protecode
nglaude@protecode.com
Disclaimer: I am not a lawyer. The material presented in this webinar in for informational
purposes only and not for the purpose of providing legal advice.

3. Protecode Inc. 2014
Open Source Software
 The good: enables rapid software development
– Easy access to code, hundreds of thousands of projects
– Faster, more functional
– Enables new business models
 The challenge: Uncertain ownership structure
– Intellectual property - copyright, license
– Requires due diligence
3

4. Protecode Inc. 2014
Why Licensing Matters
 Copyright Laws are (mostly) Universal
– Governed by the WTO, 168 states parties to the
Berne Convention
• Copyright is automatic, whether registered or not
 Open Source Licenses
– Copyright owner’s way of giving right to use
– Most open source licenses have obligations
– May or may not suit your business model
4

5. Protecode Inc. 2014
FOSS, as in Free Software?
Free Software, according to the Free Software Foundation:
“Free software” means software that respects users' freedom and community.
Roughly, it means that the users have the freedom to run, copy, distribute,
study, change and improve the software. Thus, “free software” is a matter of
liberty, not price. To understand the concept, you should think of “free” as in
“free speech,” not as in “free beer”.
Source: http://www.gnu.org/philosophy/free-sw.html
“… Open Source misses the point of Free Software.”
Source: http://www.gnu.org/philosophy/open-source-misses-the-point.html
5

6. Protecode Inc. 2014
FOSS, as in Open Source Software?
The Open Source Definition, according to the Open Source
Initiative:
1. Free Redistribution
2. Source Code
3. Derived Works
4. Integrity of The Author's Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology-Neutral
Source: http://www.gnu.org/philosophy/open-source-misses-the-point.html
6

7. Protecode Inc. 2014
Where to find licensing information
 Everywhere!
– Any and every file in the package
• Source code, header files, license files, readme, archives…
– Even outside the package
• Website, forums
 Information to consider
– Full License Text
– References to licenses
– Documentation that clarifies licensing
– Location where references/text was found
– Documentation external to package
7

8. Protecode Inc. 2014
File License
 Reference to license information
– Typically found in the header section of the file
– Generally applies to the whole file (sometimes to code snippet)
– Impractical to include complete license text
8

9. Protecode Inc. 2014
License and Copyright Use
9
Source: Protecode GIPSTM Database

10. Protecode Inc. 2014
Full License Text
 Required by all licenses
– Web sites and links change over time
– A package is transferred as a unit == does not change
 Contains
– Permissions, conditions, obligations, disclaimers, exceptions,
etc.
 Location Matters!
– Where did you find the license file?
• At the root of the package?
• In a sub-folder?
• In a documentation folder?
– What is the scope of the license?
10

11. Protecode Inc. 2014
Full Text License Example
11

12. Protecode Inc. 2014
License Notices
 Documentation about licenses
– Often found at or near the root of a package
– Contain statements and clarification about licenses
• Are they it conjunctive (AND) or disjunctive (OR)
• Are 3rd party components included or packaged separately
– Understand structure of package
 Often depends on hosting forge and language
– Examples:
• Github  license.md, readme.md
• Ruby  packaged as Gem files with embedded license tags
 Internal and External References
12

13. Protecode Inc. 2014
License Notice Example
13

14. Protecode Inc. 2014
Project Types
 Simple
– Homogenous licensing
– Original content, no 3rd party included in packages
Example: Apache HTTPClient
 Composite
– Mixed or homogenous licensing
– Some original content, some 3rd party
Example: Vaadin
 Distributions
– Mostly mixed licensing
– Mostly repackaged 3rd party
– Generally well structured, many packages
Example: 4MLinux
14

15. Protecode Inc. 2014
So, which license applies?
 Dual and multi-licensing
– Pick one
 Relicensing vs. sublicensing
– Pick
 Compatibility of licenses
– Incompatibilities mostly with copyleft licenses
– GPL incompatibilities well documented
 Files with no copyright
– Who’s creation?
 Ask for clarification!
15

16. Protecode Inc. 2014
Tooling
 Free Tools
– Perform a superficial scan of the source code
• Fossology (http://www.fossology.org)
• SPDX (http://spdx.org)
• Windriver (http://spdx.windriver.com)
• Ninka (http://ninka.turingmachine.org)
 Commercial tools
– Perform a deep scan of the source code,
archives and binaries
• Use a reference database
• Identify full file content AND code snippet
• Find project information,
– source repositories, security vulnerabilities, etc.
– Perform local scan of the source code
• Identify attributes of proprietary software, not found in reference DB
16

17. Protecode Inc. 2014
Automated Software Scanning
Automated Scan (Protecode Enterprise AnalyzerTM)
• Target files: source code, binaries, archives
• Information files
– README, COPYING, LICENCE.txt, etc.
• Two-step scan:
1. Local scrubbing of software files
2. Similarity with public-domain OSS
• Fast: ~ 4k files (100 – 200 Mbytes)/hour
Raw machine output
• OSS projects, packages, versions,
licenses, copyrights, vulnerabilities,
encryption content, etc.
• Modified/unmodified software
• Proprietary, unknowns, conflicting licenses, etc.
17

18. Protecode Inc. 2014
Typical Licensing Issues
Uncovered in Open Source
 OSS content with ambiguous / no license terms
– Software with copyrights but no licenses
– Software with authors but no copyrights / licenses
– Software with no pedigree information
– Software with conflicting license information
– Public domain software with proprietary licenses
 Licenses  business model mismatch
– i.e. modified restrictive/copyleft licensed content in
closed source commercial software
– Cloud deployments and newer license models
– Warranties and support models
– Attribution obligation
18

19. Protecode Inc. 2014
Open Source License Resources
19
Software Freedom and Intellectual Property Law
by Lawrence Rosen
• http://www.rosenlaw.com/oslbook.htm
Open Source Initiative
• http://opensource.org/licenses
Free Software Foundation
• https://www.fsf.org/
SPDX: Software Package Data Exchange®
• http://spdx.org
Fossology
• http://www.fossology.org/
Contact Us:
nglaude@protecode.com
http://protecode.com
Please type your questions into
the chat box to the right.

20. Protecode Inc. 2014 20
info@protecode.com
www.protecode.com