Open Source Outlook: Expected Developments for 2016

1 © 2016 Black Duck Software, Inc. All Rights Reserved.

Open Source Outlook: Expected Developments for 2016


SPEAKERS

Phil Odence

Vice President & General Manager

Karen Copenhaver

Partner at Choate Hall & Stewart Counsel for the Linux Foundation

Mark Radcliffe

Partner at DLA Piper General Counsel for the Open Source

Initiative (OSI)


OPEN SOURCE TRENDS- ALL UP AND TO THE RIGHT

2015

• 95% in mission critical apps • in every industry • >30%+ of a typical code base • >1.5M projects • Productivity • Innovation


AGENDA

• Emphasis on Compliance

• Enforcement efforts have motivated community-centered compliance

as reflected in:

• SPDX

• OpenChain

• Training

• Principles of Community-Oriented GPL Enforcement

• Open source and application security

• Explosion of company involvement in collaborative projects

• New topics on the horizon


INCREASED IMPORTANCE OF COMPLIANCE

• What is so hard? • Complex License

• Changing technical realities

• Complex products

• Complex supply chains

• Rapid release cycles

• Multi-jurisdictional

• Coordination of software licenses • Multiple documents

• Presented at different times in the sales cycle to different people with different authority

• Additional open source licenses

• Conflicting terms

• Complex nature of modern IT and involvement of third parties means supply chain needs to be managed


PROGRESS!

• SPDX adoption continues and use cases expand.

• Open Chain has released a proposed specification and is moving

forward with a fully established project governance.

• The Linux Foundation, the nonprofit organization enabling mass

innovation through open source, today announced the availability

of Open Source Compliance Basics for Developers, a free course

designed to provide software developers with knowledge about

legal and licensing issues for building and using open source

software.

• Principles of Community-Oriented GPL Enforcement released by

SFC.

https://training.linuxfoundation.org/linux-courses/open-source-compliance-courses/compliance-basics-for-developers

https://training.linuxfoundation.org/linux-courses/open-source-compliance-courses/compliance-basics-for-developers


LITIGATION

• Concerns about Copyright Trolls

• Patent Troll – non-practicing entity with the sole focus of using leverage to

extract money from alleged infringers

• Copyright Troll – developer acting outside of community norms to extract

money based on compliance failures

• Open Source “monetizers”

• VMware litigation


ORACLE VS GOOGLE: COPYRIGHT IN JAVA API

• Litigation over use of Java API by Google in Android

• CAFC reverses district court decision in favor of Google

District court: 872 F. Supp.2d 974 (N.D. Cal. 2012);

CAFC: 750 F.3d 1339 (Fed. Cir. 2014), cert. denied, 83

U.S.L.W. 3929 (U.S. June 29, 2015)

• Remanded to district court

• CEOs met on April 15, 2016 and were not able to settle it

• Key issue: Scope of copyright protection for API (note: similar

issue in Hellwig v. VMware litigation)


HELLWIG V. VMWARE (WELTE BLOG OVERVIEW

1)

• VMware is alleged to be using arts of the Linux kernel in their

proprietary ESXi product, including the entire SCSI mid-layer,

USB support, radix tree and many, many device drivers.

• Linux is licensed under GNU GPLv2 with a “modification” by Linus Torvalds

• VMware has modified all the code they took from the Linux kernel

and integrated it into something they call vmklinux.

• VMware has modified their proprietary virtualization OS kernel

vmkernel with specific API/symbol to interact with vmklinux

• vmklinux and vmkernel interaction is uncertain



2)

• The judges acknowledged that this case is important and one of

first impression in Germany

• The judges understands that Linux is a collaborative, community-

developed operating system, and that the development process

is incremental and involves many authors.

• The judges understands and acknowledges that much discussion

has occurred about interfaces between different programs or

parts of a program, and that there are a variety of different

definitions and many interpretations of what interfaces are



3)

• Judges focused on amount of “copyright” material owned by Hellwig which is claimed to be incorporated into the VMware

program

• VMware defense is, in part, that it could find very few functions

that could be attributed to Hellwig (less than 1% of the Linux code

used by VMware)

• Are vmkernel and vmklinux one of the following from a copyright

point of view:

• Separate programs / works

• One program / work


LEGACY OF VERSATA

• Focus on hybrid product licensing: getting licensing correct and

avoiding the Versata problem

• Will terminated licensees regularly raise the defense of “integration” with GPLv2 licensed code?

• Will warranty claims against licensors arise from poorly drafted licenses

become common?


LF COLLABORATIVE PROJECTS LAUNCHED IN 2015


TORT LIABILITY FOR SOFTWARE

• “Broadly speaking, a tort is a civil wrong, other than a breach of contract, for which the court will provide a remedy in the form of

an action for damages.” • Theories

• Negligence

• Strict liability

• Manufacturing defect

• Design defect

• Inadequate warning

• Limits: Economic loss doctrine, limited to personal damages and

property damages (no lost profits)


NEGLIGENCE THEORY

• § 282. Negligence Defined

• In the Restatement of this Subject, negligence is conduct which falls below

the standard established by law for the protection of others against

unreasonable risk of harm. It does not include conduct recklessly

disregardful of an interest of others.

• § 285. How Standard of Conduct is Determined.

• The standard of conduct of a reasonable man may be established by a

legislative enactment or administrative regulation which so provides, or

adopted by the court from a legislative enactment or an administrative

regulation which does not so provide, or established by judicial decision, or

applied to the facts of the case by the trial judge or the jury, if there is no such

enactment, regulation, or decision.


STRICT LIABILITY IN TORT

• § 402A. Special Liability of a Seller of Product for Physical

Harm to User or Consumer.

• A product is defective when, at the time of sale or distribution, it contains a

manufacturing defect, is defective in design, or is defective because of

inadequate instructions or warnings. A Product:

• contains a manufacturing defect when the product departs from its intended

design even though all possible care was exercised in the preparation and

marketing of the product;

• is defective in design when the foreseeable risks of harm posed by the product

could have been reduced or avoided by the adoption of a reasonable alternative

design by the seller or other distributor, or a predecessor in the commercial chain

of distribution, and the omission of the alternative design renders the product not

reasonably safe;

• is defective because of inadequate instructions or warnings when the foreseeable

risks of harm posed by the product could have been reduced or avoided by the

provision of reasonable instructions or warnings by the seller or other distributor,

or a predecessor in the commercial chain of distribution, and the omission of the

instructions or warnings renders the product not reasonably safe.


CHALLENGES TO APPLICATION OF TORT TO SOFTWARE

• Negligence

• Lack of reasonable man

• Proof of causation

• Substantial factor

• Strict Liability

• Limited to certain types of products

• Policy decision by courts

• ALM: Court’s reluctance to impose liability on products that cannot be manufactured “perfectly”


DECISIONS

• Little coherence

• Winter v. Putnam (1991)

• Dicta, not decision: Computer software should be subject to strict liability in

tort

• Toyota MDL Litigation for Unintended Acceleration

• Complex causation issues

• Software development procedures

• Hou-tex v. Landmark Graphics

• Defective software due to failure to update but no liability because it mistaken

well was “economic loss”


SECURITY FUNDAMENTALS

• Know what code you are using

• In your operations

• Know what code you are delivering to your customers

• Use quality code

• It is not the license

• It is the community

• Core Infrastructure Initiative

• Apply all available security patches immediately

• Upstream your modifications

• Consume tested code


INCREASING NUMBER OF OSS VULNERABILITIES

Reference: Black Duck Software knowledgebase, NVD, VulnDB

0

500

1000

1500

2000

2500

3000

3500

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Open Source Vulnerabilities Reported Per Year


COMPUTER AUTHORSHIP OF SOFTWARE


WHO IS AN AUTHOR?

• Facts: Monkey uses camera to take selfies: Naruto (PETA) vs

David John Slater (January 26, 2016, N.D. Cal.)

• Rely on the statute and case law

• Statute does not determine

• Case law refers to “humans beings” and persons” • Compendium of U.S. Copyright Office Practices (2014)

• [t]o qualify as a work of `authorship' a work must be created by a human

being. Works that do not satisfy this requirement are not copyrightable

• Similarly, the Office will not register works produced by a machine or mere

mechanical process that operates randomly or automatically without any

creative input or intervention from a human author.


HISTORY OF COMPUTERS AS AUTHORS

• Raised by Register of Copyright in 1965

• CONTU Report (review of certain issues in 1976 Act):

• "On the basis of its investigations and society's experience with the

computer, the Commission believes that there is no reasonable basis for

considering that a computer in any way contributes authorship to a work

produced through its use”

• Rationale (Professor Samuelson)

• The system has allocated rights only to humans for a very good reason: it

simply does not make any sense to allocate intellectual property rights to

machines because they do not need to be given incentives to generate

output.


ANDROID & EU

• 2015 Announcement of Investigation

• 2016 (April 20, 2016) Announcement of charges by Margrethe Vestager • http://europa.eu/rapid/press-release_MEMO-16-1484_en.htm

• Pre-installed apps: The Commission's investigation showed that Google obliges

manufacturers, who wish to pre-install Google's app store for Android, Play Store, on

their devices, to also pre-install Google Search, and set it as the default search

provider on those devices. In addition, manufacturers who wish to pre-install Google's

Play Store or Search, also have to pre-install Google's Chrome browser. Thereby,

Google has ensured that Google Search and Google Chrome are pre-installed on

the significant majority of devices sold in the EEA.

• Anti-fragmentation :if a manufacturer wishes to pre-install Google proprietary apps,

including Google Play Store and Google Search, on any of its devices, Google requires

it to enter into an "Anti-Fragmentation Agreement" that commits it not to sell devices

running on Android forks.

• Exclusivity: Google has granted significant financial incentives to some of the

largest smartphone and tablet manufacturers as well as mobile network

operators on condition that they exclusively pre-install Google Search on

their devices


STRATEGY FOR FOSS ENGAGEMENT

• Tighten compliance

• Work on simple issues such as notices, license text, written offer and source

code offer

• Work on compliance by supply chain vendors

• Become better FOSS community members (and be seen to be

better members):

• contribute code to projects

• be visible and approachable

• participate in events and conferences

• share knowledge

• most importantly: help shape and reinforce community norms and

expectations on compliance


SUMMARY FOR SOFTWARE DISTRIBUTORS

• Understand what FOSS is included in your products.

• Develop a FOSS use (and management) policy to ensure that

you understand your obligations and can comply with them (for

an overview of FOSS and FOSS governance see

https://www.blackducksoftware.com/resources/webinar/introducti

on-open-source-software-and-licensing).

• Review your distribution agreements to ensure that they take into

account any terms imposed by FOSS in your product and modify

those terms as appropriate.


QUESTIONS?

Follow us!

Open Source Outlook: Expected Developments for 2016

Software

Transcript of Open Source Outlook: Expected Developments for 2016