source licensing to

bammobInternet and Web Development

Dec 4, 2013 (3 years and 8 months ago)

79 views

Understanding open
source licensing to
deliver “clean” software

Kamal Hassin


FOSSLC Summercamp 2009

May 14, 2009

May 14, 2009

FOSSLC Summercamp 2009

2

Agenda


Background



Open source licensing



Best practices



Clean IP



Business implications

May 14, 2009

FOSSLC Summercamp 2009

3

“Mixed
-
IP” environment


Code re
-
use makes sense



Access to code is fast and easy



Developers carry code with them



Distributed development and outsourcing is
common



Collaboration and plagiarism is increasing

May 14, 2009

FOSSLC Summercamp 2009

4

Open source policies

“Which of the following best describes your
firm’s formal policy towards OSS?”

Source
: Jeffrey Hammond, Principal Analyst, Forrester Research

InfoWorld OSBC, March 2009

http://www.eclipse.org/org/foundation/membersminutes/2009
0326StrategySummit/OSS
-
WYPAUT3_JeffreyH.pdf

May 14, 2009

FOSSLC Summercamp 2009

5

Who cares?


Buyers and sellers of software



Software company executives



Software development managers



Technology transfer officers



Lawyers

May 14, 2009

FOSSLC Summercamp 2009

6

License fundamentals


Closed versus open



Purpose of open source licenses


Protect IP rights of authors and owners


Make source code available (according to conditions)


Outline obligations and restrictions



65 OSI
-
approved licenses (May 2009)


Ensure credibility and user confidence



Finding the right fit

May 14, 2009

FOSSLC Summercamp 2009

7

Licensing spectrum


Attribution


Distribution

LGPL 2.1

GPL 2.0

BSD

MIT

Apache

CPL


Eclipse


Mozilla


IBM

Public
domain

May 14, 2009

FOSSLC Summercamp 2009

8

Code usage and interaction

License
spectrum:

BSD

LGPL

GPL

Adapted from Black Duck Software (2007)

Separate
work

Dynamic
library

Module

File or
fragment

Separate
work

Dynamic
library

Module

File or
fragment

Separate
work

Dynamic
library

Module

File or
fragment

Code
integration:

Separate

Integrated

May 14, 2009

FOSSLC Summercamp 2009

9

License interpretation


“Low risk” can still equal high cost


Veritas v. Microsoft



Language is complex, evolving, and open to
interpretation


Jacobsen v. Katzer



Embedded systems can be surprising


Free Software Foundation v. Cisco/Linksys

May 14, 2009

FOSSLC Summercamp 2009

10

License infringement


Enforced injunction depends on legal processes, but
the gap is closing



Some customers are demanding indemnification
from software companies



Any company that is a defendant in third party IP
litigation ends up with losses



“Sticking your head in the sand” is not a solution

May 14, 2009

FOSSLC Summercamp 2009

11

License enforcement


Incipient case law, reliance on industry and adoption
practices



Organized GPL enforcement


Gpl
-
violations.org


Free Software Foundation


Software Freedom Law Center



How do we use this stuff legally?



What is my organization’s IP policy?

May 14, 2009

FOSSLC Summercamp 2009

12

License compliance best practices


Define an IP policy based on organization’s goals and
choose solutions that help implement it



Consider preventive versus corrective solutions



Improve due diligence processes


Education


Explicit checks and manual examination


Automated tools

May 14, 2009

FOSSLC Summercamp 2009

13

License compliance best practices


Continuously track code pedigree and licenses for all
external contributions


What is its origin?


Who wrote it?


How will I use it?


Does it comply with my IP policy?



Integrate license compliance solutions into existing
development processes with minimal disruption

May 14, 2009

FOSSLC Summercamp 2009

14

Clean IP

Clean IP
variable

Clean IP level

1

2

3

4

A. Preventive
measures



Policies exist



Policies enforced



Some education



Company
-
wide policies



Periodic monitoring



Project
-
oriented
policies



Full education



Real
-
time monitoring

B. License
compliance
tools



Manual string
searches



In
-
house tools



Bill of materials
generation



Automated scanning
tools



License compliance
checking



Automatic pedigree
generation



License compatibility
checking



Integrated into DE

C. Customer
indemnification



Maintenance
contracts



Usage guidelines



Limited
indemnification



Infringing code
replacement



Partial customer
support



Full indemnification



Full customer support

D. Clean code
library



Local ad
-
hoc
library



Manual search



Central library exists



Limited search for
legacy code



Periodic updates



Module/fragment
search for legacy code



Automatic updates



Full search and
dependency analysis


E. Outsourcing
practices



Internal, legal
approval



Continuous scanning
all incoming code



Periodic scanning at
milestones by third party



License compliance
reports



Outsourcer assurance
required

May 14, 2009

FOSSLC Summercamp 2009

15

When is clean IP addressed?

Project timeline

BEFORE

DURING

AFTER

NEVER

Project
planning



Necessary, but
not sufficient

Periodic
monitoring



Expensive



Correction required



Disruptive

Real
-
time
monitoring



Platform/IDE
integration



Customization
required

External
organization



Very expensive



After
-
the
-
fact
correction



Lengthy process

Internal
organization



Ad
-
hoc tools



After
-
the
-
fact
correction



Lengthy process

May 14, 2009

FOSSLC Summercamp 2009

16

How is clean IP addressed?



Commercial

Manual

Automated

Preventive

Corrective


Internal processes



Due diligence service
companies



Academic




Commercial



Education, ethics




Use only known code

May 14, 2009

FOSSLC Summercamp 2009

17

License compliance tools


Commercial products:

Clean IP level

1

2

3

4

License
compliance
tools



Manual string
searches



In
-
house tools



Bill of materials
generation



Automated scanning
scripts, tools



License compliance
checking



Automatic pedigree
generation



License compatibility
checking



Integrated into DE

May 14, 2009

FOSSLC Summercamp 2009

18

Criteria for tool choice


Effectiveness



Ease of use



Cost



Integration


Legacy code analysis



Transparency



Learning and training



Interpretation

May 14, 2009

FOSSLC Summercamp 2009

19

Business implications


Clean IP methods impact product development as well as
management, hiring/training, and quality processes



It is impossible for a company to grant warranties or
indemnification to customers if its software product cannot
guarantee clean IP



Delivering unclean IP reduces ability to create partnerships



Under copyright law, the licensor of code can also sue
“downstream licensees” for infringement


Think about Cisco case

May 14, 2009

FOSSLC Summercamp 2009

20

Business implications


In any merger and acquisition or funding deal, uncertainty
over clean IP


Generates risk and threatens successful closure



Increases product time to market



Affects software IP valuation and overall business valuation



Remediation is time
-
consuming and expensive



IP infringement litigation can drag on for years and drain
company resources


Think about Cisco case (again)

May 14, 2009

FOSSLC Summercamp 2009

21

Functional opportunities


Build clean IP services on a collaborative platform
that provides real
-
time access to code


Improve efficiency of code scanning and approval process



Produce real
-
time compliance reports for appropriate
teams



Reduce cost and risk by addressing clean IP issues earlier
in product development

May 14, 2009

FOSSLC Summercamp 2009

22

Functional opportunities


Implement clean IP as a distributed service as opposed to
having a “single door checklist” every time a supplier
contributes IP


Can be applied to supply chain, parallel to quality assurance methods



Reduces time and resources spent by integrator to ensure clean IP



Automate identification of code usage and interaction


Separate modules, static/dynamic linking, embedded components



“Reverse” IP identification: who is using my IP?

May 14, 2009

FOSSLC Summercamp 2009

23

Partnership opportunities


Real
-
time IP management and software
collaboration platforms



Software IP auditing services and legal firms



IP policy management and universities



Software quality organizations and open source
licensing authorities

May 14, 2009

FOSSLC Summercamp 2009

24

Conclusions


Software development practices are evolving and new
concerns arise in various industries



Define an IP policy based on organization’s goals and choose
solutions that help implement it



Methods to ensure clean IP are improving to reflect more
business drivers


Preventive versus corrective solutions



Let
opportunity

be your motivation, take a proactive
approach to clean IP

May 14, 2009

FOSSLC Summercamp 2009

25

Questions


Kamal Hassin

Technical marketing specialist




Protecode Inc.

khassin@protecode.com

www.protecode.com