License compatibility analysis and component based systems in public research: presentation of a practical approach

EOLE Conference – 12/10/2012

Magali Fitzgibbon – Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

CONTEXT

A (very) short presentation of Inria…

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Inria : French National Institute for Research in Computer Science and Automatic Control

8 research centers in France + head office

(corporate level and local TTOs)

Missions include:

=> fundamental and applicative research

=> dissemination of scientific knowledge

=> contributing to standardization

=> providing prototypes (technology transfer)

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Software prototypes @Inria

- Important number of software distributed under a FLOSS license

- Technology transfer includes operations based on open source software (in

particular by spin-off creation)

- Reuse of open source preexisting components is a usual developing practice at

Inria.

=> This leads de facto to license compatibility issues…

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

exploitation Licensing out

Licensing in Policy

Software development process (seen from the legal / TTO point of view)

STRATEGY (legal compatibility)

Legal status of components Component’s licence Usually well defined

Legal status of software (Not so easy to defined)

Licensing in

L1

Code reuse (pre-existing components)

Component based systems

Software : set of components (with new “ex-nihilo”components)

Licensing out choice

Such an exercise can turn out to be difficult…

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

License compatibility – the difficulties encountered by lawyers and TT managers: • To be familiar and deal with an important number and diversity of FLOSS licenses

(jungle)

• Vocabulary used in FLOSS licenses is not standardized

But not only…

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Reality is more than a theoretical comparison of several licenses – context/object of analysis are crucial

• Great diversity of software and software architecture (how can architecture be useful for the analysis?)

• Inria’s software can be made of an important number of preexisting components,

usually under a FLOSS license …

• … and can be developed on long period of times (10-15 years) by numerous contributors

(How do you actually identify the licenses to be analyzed?) • Licensing out strategies may change during software’s life cycle (What incidence on license compatibility issues?)

Given these elements, what could be a good approach for license compatibility issues in component based systems?

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

I. License compatibility analysis and software’s architecture/detailed description

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

The 3 good reasons to ask for software’s detailed description

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Identify the scope of the analysis… and be sure that everyone actually talks of the same thing!

Easier in case of software with a “modular licensing strategy”

Makes dialogue easier with researchers/developers

Using software’s architecture – the example of DIET software (monitoring High Performance Computing Infrastructures)

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Source: Qualipso – Report on the proposed IPR tracking methodology – 16/12/2009 – www.qualipso.org

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

II. How can I identify licenses to be analyzed in a (large) component based system?

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Software’s contributors point of view and memory is essential (Inria assume people are of good faith)… … but it is nevertheless often incomplete! ⇒ Components’ origin and license issues are not always a priority at the beginning of a

project (POC) ⇒ Keeping a good track of what happened in a 5, 10 or 20 year development period is

difficult in public research (people come and go)

Asking the development/research team:

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

A different (and complementary) source of information is usually needed…

Example of a representation of authors’ appearance/disappearance and evolution of % contribution to source code

Source/copyright owner: Antelink - CC BY-NC-ND 2.0

Looking « by hand » in all header files to check for licenses

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Costs of analysis quickly turn to be high… Example: a software of 100 000 files = you can keep a lawyer busy a few weeks… … which means that ROI is not always satisfactory.

Using tools: the « industrial way »

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Code mining tools, license checkers… They allow to gain time… … and can therefore reduce costs of analysis! Components’ license information in header files can now be as « opened » as open

source software!

The experienced turned out be positive as far as Inria is concerned

However… Never forget that information still needs to be qualified!

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

• Identifying licenses is only a start… • Comparing a list of licenses, obtained with a tool, with your licensing-out

strategy is not sufficient for analysis to be efficient/complete! • Tools help/provide assistance but do not fulfill the analysis

Examples

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

1. An important number of files identified in one of Inria’s software with an Eclipse public license But… … after qualifying this information, the « EPL files » turned out to be source code generated by Inria’s developers with Eclipse’s framework 2. Incompatible License identified in one of Inria’s software But… It turned ou that headers were not up-to-date concerning license information

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Qualifying information requires discussion between lawyers, TT managers

and researchers/developers

III. Licensing-out strategy’s evolution during life cycle : what is the incidence?

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

What changing of licensing-out strategy means

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

• The previous licensing-in policy (if any!) may not be pertinent anymore… • … which means that software’s exogenous components’ licenses may not be

compliant with the new licensing-out strategy… • What if the previous software’s license is compatible with the new one? => Beware! Does not mean that components’ licenses are compliant!

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

A software initially distributed under a GNU LGPL v2.1 license

A licensing-in policy was defined

Research team’s intentions change in favour of a dual licensing scheme : GNU

GPL v2 and proprietary license

Example

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Example of licenses found during the analysis (for exogenous components)

Compliance with previous GNU LGPL strategy

Apache v.1 YES

Apache v.2 YES

Eclipse public license YES

BSD (new) YES

What the analysis revealed about the past…

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

What the analysis revealed about the present/future…

Example of licenses found during the analysis (for exogenous components

Compliance with GNU GPL v2

Apache v.1 NO

Apache v.2 NO

Eclipse public license NO

BSD (new) YES

Hopefully, solutions could be found…

But shows that costs to make software legally compliant, when strategy changes, can actually become an issue

The 2nd part of the « story »: the legal issue did not turned out to be the only one…

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

Was the dual scheme really pertinent/appropriate? People are willing to pay for a proprietary license if they wish to redistribute themselves under a proprietary license (and avoid GNU GPL’s constraints) But, if a similar version is available somewhere under the GNU LGPL… GNU GPL version of software needs to be sufficiently different from the previous

GNU LGPL version!

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

What comparison of source code revealed

Source/copyright owner: Antelink - CC BY-NC-ND 2.0

Conclusion

Magali Fitzgibbon -Technology Transfer and Innovation Department - CC BY-NC-ND 2.0

License compatibility analysis for components based systems in public research is always : the encounter between particular software, a development and an exploitation

strategies

Team work between lawyers, TT managers and researchers/developpers And therefore a smart use and combination of people’s competence/experience

and tools

Which means that lawyers do not only need to rely on their « legal » expertise: basic knowledge and curiosity of what are software and software development, is

helpful

www.inria.fr Report on the proposed IPR Tracking methodology (L. Grateau, M. Fitzgibbon, G. Rousseau) http://www.inria.fr/content/download/6143/55776/version/2/file/Methodologie-d-analyse-IPR.pdf Qualipso EU funded project www.qualipso.org Guide d’approche et d’analyse des licences de logiciels libres (S. Steer, M. Fitzgibbon) http://www.inria.fr/content/download/5892/48431/version/2/file/INRIA_guide_analyse_licences_libres_vf.pdf Recueil de fiches explicatives de licences libres (S. Steer, M. Fitzgibbon) http://www.inria.fr/content/download/5892/48431/version/2/file/INRIA_guide_analyse_licences_libres_vf.pdf

Magali Fitzgibbon magali.fitzgibbon@inria.fr http://www.linkedin.com/pub/magali-fitzgibbon/3a/390/76a

Thank you!