Open Source in the Real World:Beyond the Rhetoric

Maureen DorneyPartner, DLA Piper

Kat McCabeBoard of Advisors, Black Duck Software, Inc.

Gemma Dreher Senior Counsel, BAE Systems

ACC Webinar January 15, 2008

IntroductionWidespread availability and use of open sourcesoftware makes it important for corporate counselto understand the issues and best practices

Focus today on management of open source in:Development

Procurement

Due Diligence (M&A context from Buyer perspective)

ACC Webinar January 15, 2008

DevelopmentInternal policies and procedures for internal use,external use and contributions mitigate risks

Options for managing use of open sourceCommittee (company vs. business unit)

Pre-approval/disapproval of certain licenses

Individual

Educate developers and others on policies,procedures and risks

ACC Webinar January 15, 2008

DevelopmentRequire review/approval before check in

Applicable license and source (e.g., website)Confirm that license meets internal policies

Technical/legal personnel perform finalcode review before distribution

Review code branches and developer commentsConsider audit tools to scan and identify opensource

ACC Webinar January 15, 2008

DevelopmentDocument use of source code

Location

Version

Applicable License

Obligations

Ensure compliance with obligations

ACC Webinar January 15, 2008

ProcurementCommercial Open Source Procurement Eco-System

Third Party Developers (includes offshore development)Enterprise Software Vendors (both upstream and downstream)ASP or SAS Providers (use but no distribution)OEM Relationships (many companies have inconsistent policies)VAR and ISV Models (present similar issues as those found inOEM relationships)

Often Different Divisions of Technology CompaniesDeploy Conflicting PoliciesComplexities of Dual Source Models

ACC Webinar January 15, 2008

ProcurementFormulation of an Open Source Procurement Strategy

An Open Source Procurement Strategy Should Parallel and beCompatible with Internal Development and Downstream LicensingStrategies:

Your Channel RequirementsSoftware ArchitectureWarranties and IndemnitiesConformance of Licenses and Proprietary Rights NoticesImplementation of “Standard” Software SolutionsConsider Dual Source Options Where Appropriate

The Same Open Source Policy and Approval Structure for InternalDevelopment should Extend to ProcurementProcurement Partners Can Have Very Different Open SourceStrategies

ACC Webinar January 15, 2008

Sample Procurement ClausesProhibited Uses of the Source Code. Company will not make the SourceCode of the Software available on a non-confidential basis. Company shall notcombine or distribute the Source Code with any Publicly Available Software.As used in this Agreement, “Publicly Available Software” means each of:(i)any software that contains, or is derived in any manner (in whole or in part)from, any software that is distributed as free software, open source software(e.g., Linux) or similar licensing or distribution models; and (ii) any softwarethat requires as a condition of use, modification and/or distribution of suchsoftware that other software distributed with such software (A) be disclosed ordistributed in source code form; (B) be licensed for the purpose of makingderivative works; or (C) be redistributable at no charge. Publicly AvailableSoftware includes, without limitation, software licensed or distributed underany of the following licenses or distribution models, or licenses or distributionmodels similar to any of the following: (i) GNU’s General Public License(GPL) or Lesser/Library GPL (LGPL), (ii) The Artistic License (e.g., PERL),(iii) the Mozilla Public License, (iv) the Netscape Public License, (v) theLicensee Community Source License (SCSL), and (vi) the Licensee IndustryStandards License (SISL).

ACC Webinar January 15, 2008

Sample Procurement ClausesLicensor shall provide to Licensee in Exhibit A below: (a) a list of allOpen Source Technology (including, but not limited to code licensedunder the GPL or LGPL) incorporated into or combined with theSoftware, (b) a description of how the Open Source Technology isincorporated with or into, or interacts with, or will interact with, theSoftware or any technology that may be incorporated with theSoftware and/or Licensee products and (c) a copy of the licensegoverning the use and distribution of the Open Source Technology.Licensor agrees to fully cooperate with Licensee to insure complianceby both parties with the terms of any license governing the use of anyOpen Source Technology in any Software delivered by Licensor toLicensee. Licensor shall comply with a request from Licensee to grantrights and immunities under Licensor’s Intellectual Property rights tothird parties as required to insure compliance with the terms of anylicense governing the use of any Open Source Technology in anySoftware delivered by Licensor to Licensee.

ACC Webinar January 15, 2008

Sample Procurement ClausesLicensor grants to Licensee a non-exclusive, perpetual, irrevocable andworldwide license under Licensor’s Intellectual Property Rights to, inany fashion Licensee may choose (including, but not limited to,community source and/or open source licensing, except any BSDlicense (i) reproduce, prepare Derivative Matter of, compile, publiclyperform, publicly display, demonstrate, market, disclose and distributethe Software and modifications thereof in source code or object codeform on any media or via any electronic or other method now knownor later discovered; (ii) make, have made, use, sell, offer to sell, importand otherwise exploit the Software and modifications thereof in sourcecode or object code form in any manner and on any media or via anyelectronic or other method now known or later discovered; and (iii)sublicense the foregoing rights to third parties through multiple tiers ofsublicensees or other licensing mechanisms at Licensee’s option.

ACC Webinar January 15, 2008

Changes in Due Diligence

Traditional technology due diligenceContract review

Interviews with management

Provides an incomplete picture

New approachNeed to address lack of information about downloadedcode (open source and third party)

Automated code review used to find downloaded code

ACC Webinar January 15, 2008

Specific Buyer Concerns – Code Provenance

Code Provenance = Chain of TitleTens of thousands of developers worldwidecontribute to open source

Potential lack of attention to and understanding ofIP rights

Reputable source of code is keyWell-known, well-run open source projects vs.less known software developers

Buyer assessment of potential liabilities

ACC Webinar January 15, 2008

Specific Buyer Concerns – License Terms

Need to identify and review open sourcelicense terms

Has the target complied?Potential liability for breach of contract andinfringement

Is the buyer comfortable with the conditionsand obligations going forward?

ACC Webinar January 15, 2008

Specific Buyer Concerns – License Terms

The General Public License (GPL)exemplifies significant license conditions

Developed by Richard StallmanGPLv2 first issued in the early 1990s; today,one of the world’s most popular open sourcelicensesGPLv3 issued in June, 2007; addresses newissues, e.g. patent and digital rightsmanagement (DRM)

ACC Webinar January 15, 2008

Specific Buyer Concerns – License Terms

Copyleft/Reciprocity (under GPLv2 andGPLv3)

Goal to achieve the opposite of copyrightCondition of re-distribution is re-licensingunder the GPLGPL provides broad user rights and access tosource codeKey issue: reciprocity typically conflicts withtraditional licensing models

ACC Webinar January 15, 2008

Specific Buyer Concerns – License Terms

Patent Provisions under GPLv3Goal to address the threat of patents

Broad patent license

Patent retaliation provision

Complex provisions to protect against thirdparty patent licenses

Key issue: patent provisions may haveunwanted impact on the user’s patent portfolio

ACC Webinar January 15, 2008

Specific Buyer Concerns – License Terms

Anti-Digital Rights Management (under GPLv3)

Goal to give users the right to modify code andredeploy it on the applicable consumer device

Consumer device companies required to giveinstallation information, along with broad rightsand source code

Key issue: consumer device manufacturersparticularly concerned about GPLv3

ACC Webinar January 15, 2008

Specific Buyer Concerns – License Terms

Broad Disclaimer of Warranties and Liability(under GPLv2 and GPLv3)

Key issue: no operational or legal support

ACC Webinar January 15, 2008

Code Analysis – Practical Considerations

Who will Perform the Analysis?

BuyerTarget concern of misuse/Buyer concern of taint

TargetBuyer concern of incomplete analysis

Third PartyResolves inherent tension

Acts as a buffer between the parties

ACC Webinar January 15, 2008

Code Analysis – Practical Considerations

Where?

Target wants control of code; target offices arethe preferred location

Target needs to determine rules of engagement

Target needs to manage employee expectations;e.g. with cover stories

ACC Webinar January 15, 2008

Code Analysis – Practical Considerations

Legal Analysis of Results

Assessment of code originsMany unknown sources or a few reputable ones?

Review of license termsPermissive or onerous?

Assessment of Target’s complianceEvaluation potential copyright and contract claims

Results can affect deal pace and terms

ACC Webinar January 15, 2008

Open Source and M&A Summary

Buyers are concerned about unknown open sourcecode in the target’s code base

Buyers now require physical code assessments

Unprepared targets risk problems in due diligenceand disruption of the deal

Prepared targets improve the deal process