Developer guidelines for using third-party code
17
Developer guidelines for using third-party code Mark Aberdour Head of Learning Platforms
description
Transcript of Developer guidelines for using third-party code
Developer guidelines for using third-party code
Mark AberdourHead of Learning Platforms
Why it mattersIt’s good to use code found on the web. It can be very robust and well tested, and generally makes a programmer’s life easier.
However, third party code comes with some licensing dangers which can seriously impact both employee and employer if the law is broken.
While most code libraries are fine to use, some do require more care than others to stay on the right side of the law.
This quick guide is aimed to help Epic programmers make the right decisions on what code to use in their projects.
By necessity this guide contains some simplifications of what is a complex legal area. If in doubt, please just ask.
License typesMost code found on the web is open source. There are three main types of open source license, and these dictate what we can and can’t do with the code.
License type Commercial use
Strongly-protective/ copyleft (GPL/AGPL)
CANNOT use in closed-source, commercial products
Weakly-protective (LGPL)
Can use in closed-source, commercial products WITH CARE
Permissive (Apache, MIT, BSD)
FREE TO USE in closed-source, commercial products
Non-OS license Terms will vary so read the license!
Licenses: strongly protectiveLicenses: GPL, AGPL
Implications of using code:
If the code is used in a product that is redistributed, then the entire codebase must inherit the same license. For this reason, these are also known as viral licenses.
Epic policy:
Do NOT use any GPL or AGPL licensed code without getting permission first, unless the project you are working on is already GPL or AGPL licensed.
Licenses: weakly protectiveLicenses: LGPL
Implications of using code:
This license is commonly used for code libraries. It allows the code to be used in closed source, commercial products; however, any modifications to the library must be fed back upstream to the creator.
Epic policy:
It is fine to use LGPL licensed code, but any changes MUST be fed back to the library creator, and the developer should manage this process.
Licenses: permissiveLicenses: Apache, MIT, BSD
Implications of using code:
Allows the code to be used in closed source, commercial products with no obligations. Some licenses have an ‘attribution clause’ which simply asks that the original creator is credited.
Epic policy:
It is absolutely fine to use any Apache, MIT or BSD licensed code.
Licenses: non-open sourceLicenses: Custom license or ‘terms and conditions’ page
Implications of using code:
This will depend entirely on the terms that the creator has outlined. Sometimes there is just a statement on the webpage with some brief terms of use.
Epic policy:
Find the terms and conditions or statement of use and make an appropriate decision. If in doubt, please ask for assistance. Take a dated screenshot in case the terms change over time.
Three questions to always ask
1. What are the license terms of the code you are thinking of using?
Be sure to find out what license it is released under. If it’s not open source or if you cannot find a license, then contact a senior manager for approval to reuse it.
2. What are the license terms of the Epic project you are working on?
This will impact what licenses you can use. For example, the webinar plug-in we built for Moodle is GPL anyway.
3. Is the product for just one customer, or will it be distributed to many?
Open source license terms kick in when a product is redistributed. So if the code is for the private use of a single customer, it is fine to reuse code from ANY license, GPL included.
Re-use conventionsThe following are best practices that you should follow every time you reuse third party code. If you get in the habit of doing this, you should always be on the right side of the law.
- Always retain the original license info in the code files.
- Always credit the original author. Even if is not always required, it is the right thing to do.
- If you make modifications, ensure they carry prominent notices.
- If you make modifications, send the amends back to the original author. Again, it is not always required, but it’s the right thing to do.
- Finally, please keep a record in the project folder of all third-party code used and include the license type and source URL.
Detailed license info
Apache v2 license
This is a PERMISSIVE license.
We can use, modify and redistribute this code as part of a commercial product.
The license info must be retained in the file.
Any modifications must carry prominent notices.
If the work includes a NOTICE text file containing author attributions, then those attribution notices must be provided with the new work.
http://opensource.org/licenses/Apache-2.0
MIT license
This is a PERMISSIVE license.
We can use, modify and redistribute this code as part of a commercial product.
There are no obligations at all, therefore we can do what we like with it.
http://opensource.org/licenses/MIT
BSD 3-clause license
This is a PERMISSIVE license.
This is similar to the MIT license, with the addition of a third clause that says we cannot use the author's organisation name or any contributor names to promote the product.
The BSD-2 clause license is newer, omits the third clause and is roughly equivalent to the MIT license.
http://opensource.org/licenses/BSD-3-Clause
LGPL v3 license
This is a WEAKLY PROTECTIVE license; reuse requires some care.
We can use, modify and redistribute this code as part of a commercial product.
We MUST include a notice that the library is used (e.g. in a NOTICE file) within the product and include copies of the GPL and LGPL (but these won't apply to the whole product, don’t worry!).
If we make modifications, then the library must also be released under the LGPL.
http://opensource.org/licenses/lgpl-3.0.html
GPL v2/v3 license
This is a COPYLEFT license; reuse is highly restrictive.
We CANNOT use, modify or redistribute this code as part of a commercial product.
If we redistribute the derivative work then the entire product must itself inherit the GPL.
http://opensource.org/licenses/gpl-license
AGPL v3 license
This is a COPYLEFT license; reuse is highly restrictive.
We CANNOT use, modify or redistribute this code as part of a commercial product.
If we redistribute the derivative work, then the entire product must itself inherit the GPL.
Redistribution in this case includes applications accessed remotely from a server (e.g. Cloud/SaaS services).
http://opensource.org/licenses/AGPL-3.0
Further informationIf you have any questions at all regarding the above or any licenses we have not covered, please contact:
Mark Aberdour
Email: [email protected]
Twitter: @maberdour
![Tolerating SDN Application Failures with LegoSDNconferences.sigcomm.org/hotnets/2014/papers/... · Application Developer Purpose RouteFlow [27] Third-Party Routing FlowScale [4] Third-Party](https://static.fdocuments.in/doc/165x107/5fbedaf0775f853fc165f9e3/tolerating-sdn-application-failures-with-application-developer-purpose-routeflow.jpg)
