LinuxCon Europe 2014: License Compliance and Open Source Software Logistics for Cloud-Based...
-
Upload
black-duck-software -
Category
Technology
-
view
1.007 -
download
6
Transcript of LinuxCon Europe 2014: License Compliance and Open Source Software Logistics for Cloud-Based...
© 2014 Black Duck Software, Inc. All Rights Reserved.
LICENSE COMPLIANCE AND OPEN SOURCE SOFTWARE LOGISTICS FOR CLOUD-BASED APPLICATIONS
Kirsten NewcomerDirector of Product Management, Black Duck Software
@black_duck_sw
2 © 2014 Black Duck Software, Inc. All Rights Reserved.
DISCLAIMERS
I AM NOT A LAWYER
THIS TALK DOES NOT PROVIDE LEGAL ADVICE
+
SOURCE
the future of
OPEN2014
RECORD-BREAKING RESPONSES
THE FUTURE OF OPEN SOURCE 4
12402014
8222013740
2012
4532011
SURVEYRESPONDENTS
42%vendor
58%non-
vendor5
SURVEYRESPONDENTS
ROLESSoftware engineer/developer
ANALYST CEO/founder
CIO
EDUCATOR
LINE OF BUSINESS MANAGER
MARKETING
SYSTEM ARCHITECT/ENGINEER
OTHER
VP
SALES/BUSINESS DEVELOPMENT
IT MANAGEMENT & STAFF
6
LAWYER/INVESTOR
PRESIDENT
SURVEYRESPONDENTS
7 © 2014 Black Duck Software, Inc. All Rights Reserved.
THE RISE OF SaaS AMONG OPEN SOURCE VENDORS
2014SOFTWARE AS A SERVICE (SaaS)
60%SaaS MOVED TO #1 FROM 2013
201347%
201240%
7
OPEN SOURCE CENTRAL ACROSS TECHNOLOGY
MAIN AREAS WHERE OPEN SOURCE IS LEADINGTHE TECHNOLOGY INDUSTRY
63%
CLOUD/VIRTUALIZATION
57%
CONTENTMGMT
MOBILE SECURITY COLLABORATION NETWORKMGMT
SOCIALMEDIA
3D PRINTING ANALYTICS ANDBUSINESS
INTELLIGENCE
DRONES GAMING ERP
53% 51% 49% 48% 46%
27% 26%
13% 12%10%
8
OPEN API FUELS OPEN SOURCE
14%Don’t
Know/Not Sure
9%Will
Substitute for or Inhibit Growth
7%Will Have No
Impact
68%Will Reinforce
Growth/Adoption
9
10 © 2014 Black Duck Software, Inc. All Rights Reserved.
WHAT ELSE DID WE LEARN?
CORPORATE PARTICIPATION IN OSS
OVER
50%OF ALL ENTERPRISES ARE EXPECTED TO CONTRIBUTE TO AND ADOPT OPEN SOURCE
11
CORPORATE PARTICIPATION IN OSS
30%MAKE IT EASY FOR EMPLOYEES TO PARTICIPATE OR START THEIR OWN OPEN SOURCE PROJECTS
12
NEW PEOPLE IMPACTING OPEN SOURCE
13
#1FACTOR IN EXPLOSION OF SMALL PROJECTS IS FIRST TIME DEVELOPERS PARTICIPATING IN OPEN SOURCE
More Important Than any Other Factor 2X
14 © 2014 Black Duck Software, Inc. All Rights Reserved.
SO, HOW DOES THE RISE OF SAAS AFFECT YOU?
Odd’s are good that you’re going to be working with open source• Infrastructure as a Service (IaaS)• Platform as a Service (PaaS)• Software as a Service (SaaS)
A quick refresher is in order…
• Goals of open source licenses
• Categories of licenses
15 © 2014 Black Duck Software, Inc. All Rights Reserved.
OPEN SOURCE DEFINITION
1. Free Redistribution2. Program must include Source Code and must allow
distribution in source code as well as compiled form3. Must Allow Modifications and Derived Works4. Integrity of the Author's Source Code5. No Discrimination Against Persons or Groups6. No Discrimination Against Fields of Endeavor7. Distribution of License – no additional license can
be required of others who redistribute the program8. License Must Not Be Specific to a Product9. License Must Not Restrict Other Software10.License Must Be Technology-Neutral – not
predicated on any individual technology
16 © 2014 Black Duck Software, Inc. All Rights Reserved.
THE OSS LICENSE CONTINUUM
Permissive
GPL
LGPL MPL
X11/MIT
Apache
BSD
Stronger
Copyleft
Permissive licenses
Restrictive
Weaker Copyleft
AGPL
17 © 2014 Black Duck Software, Inc. All Rights Reserved.
COMMON MYTHS ABOUT OPEN SOURCE
“Open source is in the public domain."
"None of these agreements are enforceable so it
doesn’t really matter anyway."
"If I don’t distribute
software, I don’t need to worry
about licensing."
"All open source licenses require the
release of source code for
everything."
"No one will ever know."
"All open source licenses are
reciprocal/copyleft…"
18 © 2014 Black Duck Software, Inc. All Rights Reserved.
EVOLUTION OF SOFTWARE DELIVERY AND OPEN SOURCE LICENSES
1990 2000 2010
SaaS
Cloud
CDs
GPL V2
ASP / SaaS Loophole
AGPLv1
GPLv3AGPLv3
“The GNU Affero General Public License . . . requires the operator of a network server to provide the source code of the modified version running there to the users of that server. Therefore, public use of a modified version, on a publicly accessible server, gives the public access to the source code of the modified version.”- Preamble to AGPL 3.0 license
19 © 2014 Black Duck Software, Inc. All Rights Reserved.
THE GNU GPL FAMILY OF LICENSES
1991 GPL v2 Private use is un-restrictedIf you distribute object code, you must make source code available
LGPL v2 “Work that uses library” versus “Work based on library”
2002 AGPL v1 Closes the network access loophole
2007 GPL v3 System library exception Internationalization - country-neutral terminologyLicense compatibility (Apache, Affero)
2007 LGPL v3 An additional permission for GPL v3 licensed code.
2007 AGPL v3 Includes all GPLv3 terms and adds “Network Use” clause • Network Use Clause: Source code sharing obligation
also extends to “all users who access through a computer network”
20 © 2014 Black Duck Software, Inc. All Rights Reserved.
MORE ABOUT INTERNATIONALIZATION
Rights are tied to laws in specific countries; you do not have “copyright” but UK copyright, US copyright, French copyright, German copyright, etc.
Point of interest: English tradition views copyright as an industrial rightContinental tradition views copyright as the right of the artist
GPL v2 is tightly tied to US copyright law• Legislative history and case law define “Distribution,” “public
distribution,” “limited distribution” • Distribution means one thing in US and another in Europe• Even the term “public” has a long legal history in US
It is impossible to say anything about “distribution” of copyrighted works that is globally accurate.
21 © 2014 Black Duck Software, Inc. All Rights Reserved.
THE GNU GPLV3
GPL v3 changes language to use contract terms• Convey
• To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying
• Propagate• To “propagate” a work means to do anything with it that, without
permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.
BUT, intentionally does not close SaaS loophole
22 © 2014 Black Duck Software, Inc. All Rights Reserved.
THE AGPL V3
Includes all GPLv3 terms and “Network Use” clause
Network Use Clause: Source code sharing obligation also extends to “all users who access through a computer network”
The network use clause is set forth below: “Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.”
23 © 2014 Black Duck Software, Inc. All Rights Reserved.
GPLV3 INTERACTION WITH AFFERO GENERAL PUBLIC LICENSE
GPLV3 does not incorporate the Affero General Public License requirements into GPLV3But it does build a bridge…Section 13. of GPLV3 Use with the GNU Affero General Public License:
• Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.
24 © 2014 Black Duck Software, Inc. All Rights Reserved.
NUMBER OF PROJECTS WITH AGPL-LIKE LICENSES
Source: Black Duck KnowledgeBase(Did not include Apple Public Source License in analysis)
Over 1000 projects use AGPLv3
25 © 2014 Black Duck Software, Inc. All Rights Reserved.
INDIVIDUAL SAAS LICENSE MARKET SHAREAS A PERCENTAGE OF TOTAL SAAS LICENSE MARKET
Rank License %
1 GNU Affero General Public License v3.0 53.93%
2 Open Software License 2.0 21.07%
3 Affero General Public License v 1.0 7.61%
4 Open Software License 3.0 7.23%
5 Common Public Attribution License 1.0 5.72%
6 Academic Free License v3.0 1.95%
7 Open Software License 2.1 1.86%
8 Open Software License 1.1 0.25%
9 Non-Profit Open Software License 3.0 0.22%
10 Honest Public License 0.06%
11 Rumba Exception to Gnu Affero General Public License V3.0 0.03%
12 Zarafa Affero 3 License 0.03%
13 Open Software License 1.0 0.03%
26 © 2014 Black Duck Software, Inc. All Rights Reserved.
AGPL-LIKE LICENSES DISCOVERED IN AUDITS
Source: Black Duck Audit Data
27 © 2014 Black Duck Software, Inc. All Rights Reserved.
APPLE PUBLIC SOURCE LICENSE
Unique license from Apple
1.4 "Externally Deploy" means: (a) to sublicense, distribute or otherwise make Covered Code available, directly or indirectly, to anyone other than You; and/or (b) to use Covered Code, alone or as part of a Larger Work, in any way to provide a service, including but not limited to delivery of content, through electronic communication with a client other than You.
If You Externally Deploy Your Modifications, You must make Source Code of all Your Externally Deployed Modifications either available to those to whom You have Externally Deployed Your Modifications, or publicly available. Source Code of Your Externally Deployed Modifications must be released under the terms set forth in this License, including the license grants set forth in Section 3 below, for as long as you Externally Deploy the Covered Code or twelve (12) months from the date of initial External Deployment, whichever is longer. You should preferably distribute the Source Code of Your Externally Deployed Modifications electronically (e.g. download from a web site).
28 © 2014 Black Duck Software, Inc. All Rights Reserved.
COMMON PUBLIC ATTRIBUTION LICENSE
Drafted for Socialtext prior to AGPLv3, Mozilla Public License with “External Deployment” provisions
15. ADDITIONAL TERM: NETWORK USE. The term “External Deployment” means the use, distribution, or communication of the Original Code or Modifications in any way such that the Original Code or Modifications may be used by anyone other than You, whether those works are distributed or communicated to those persons or made available as an application intended for use over a network. As an express condition for the grants of license hereunder, You must treat any External Deployment by You of the Original Code or Modifications as a distribution under section 3.1 and make Source Code available under Section 3.2.
29 © 2014 Black Duck Software, Inc. All Rights Reserved.
OPEN SOFTWARE LICENSE/ACADEMIC FREE LICENSE
Unique licenses which use “External Deployment” concept to extend requirements to provide source code to network use as well as distribution:
5) External Deployment. The term "External Deployment" means the use, distribution, or communication of the Original Work or Derivative Works in any way such that the Original Work or Derivative Works may be used by anyone other than You, whether those works are distributed or communicated to those persons or made available as an application intended for use over a network. As an express condition for the grants of license hereunder, You must treat any External Deployment by You of the Original Work or a Derivative Work as a distribution under section 1(c).
30 © 2014 Black Duck Software, Inc. All Rights Reserved.
HONEST PUBLIC LICENSE
This license is a modified version of the GNU General Public License copyright (C) 1989, 1991 Free Software Foundation, Inc. and has been made with their permission, but has not been endorsed by the Free Software Foundation. Section 2(d) has been added to cover use of software over a computer network.
b) You must cause any work that you distribute, communicate to the public or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
31 © 2014 Black Duck Software, Inc. All Rights Reserved.
Applications are made up of many parts, with, often, many licenses
• AGPL• Apache• BSD• Commercial
Many SaaS applications have downloadable plug-ins with additional licenses, such as
• GPL- JavaScript
It’s important to evaluate compatibility• Licenses may include provisions which may be incompatible with
the obligations of other licenses• Even when license obligations can be incompatible, the issue is
whether the obligations are triggered• Be aware of file-level licenses as well; not all files in a project have
the same license
PARTICULAR CHALLENGES COME WITH LICENSE COMBINATIONS
32 © 2014 Black Duck Software, Inc. All Rights Reserved.
NOW ADD IN DOCKER…
Download Browser App
Download Mobile App
Download Desktop App
33 © 2014 Black Duck Software, Inc. All Rights Reserved.
DOES DOCKER CHANGE THINGS?
• Docker is increasing the use of containers• We seem to be on the verge of another delivery paradigm shift• Are there any special considerations for OSS licenses when used in
software distributed in containers?• What kind of a distribution, or conveyance, is a Docker container?
• Does it depend on where it’s deployed?• You created it and you deploy it to your private cloud• You created it and you make it available for download in Docker Hub
• What legal obligations do you have?• How do you manage those obligations?
• How does the down-stream consumer of the container know what obligations she incurs when deploying your container• for in-house use• For use in an externally facing SaaS application• For use by another downstream application
• Does the fact that the container is fully encapsulated change anything?
• How will you determine what the combination of licenses and obligations are for the contents of a Docker image that you download?
• Will new license terms emerge in response to Docker containers?
34 © 2014 Black Duck Software, Inc. All Rights Reserved.
TECHNICAL DECISIONS HAVE LEGAL IMPLICATIONS
Choosing a FOSS project requires both legal and technical evaluation Compliance is
mission criticalMust understand the legal obligations as well as the code, and the community
Security matters too, especially with Service solutions
35 © 2014 Black Duck Software, Inc. All Rights Reserved.
Knowing what open source you
use.
Knowing where your
open source is used.
Knowing how your open source is deployed.
Using open source code in
a compliant way.
Knowing what your legal obligations
are.
Working with community to maintain
the open source you
use.
Understanding the security of your open
source.
Participating effectively in
the open source
ecosystem.
OSS LOGISTICS IS ABOUT…
36 © 2014 Black Duck Software, Inc. All Rights Reserved.
TO DO THE RIGHT THING, YOU NEED TO KNOW
Strategy• The business objectives for your
application
License(s) & Obligations• The set of obligations associated
with your use of open source
Technology• Automation to provide visibility,
control and assist with compliance
Tens of thousands of developers leverage the GPL every day, and do it in compliance with its obligations; the community will do the same for AGPL