POSSCon-Policy-Preso-3-20-11
-
Upload
matt-hudson -
Category
Documents
-
view
218 -
download
3
description
Transcript of POSSCon-Policy-Preso-3-20-11
![Page 1: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/1.jpg)
Open Source Policy: “Tips for Becoming a Good Open Source Citizen”
POSSCON Steven Grandchamp, CEO, OpenLogic
![Page 2: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/2.jpg)
Copyright OpenLogic 2006
Today’s discussion
! Do you need an open source policy? ! What level of compliance with open source licenses? ! Why should I be concerned? ! What should I do about it? ! What are the key elements of an open source policy?
2
![Page 3: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/3.jpg)
Copyright OpenLogic 2006
About OpenLogic
OpenLogic helps enterprises to successfully and safely
acquire, deploy, support and control all of the free and open source software they use.
! Scanning Tools ! Open Source Audits ! Open Source Support
![Page 4: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/4.jpg)
Copyright OpenLogic 2006
Then…
![Page 5: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/5.jpg)
Copyright OpenLogic 2006
Now...
5
Source: OpenLogic Mobile Research 9/2010
Open Source is Used in 88% of Android Apps & 41% of iOS Apps
![Page 6: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/6.jpg)
6
So…
![Page 7: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/7.jpg)
Copyright OpenLogic 2006
More Than A Theoretical Risk: Legal Action
7
Free Software Foundation has been active in GPL enforcement.
Source: Ars Technica
Source: cnet
Source: The Inquirer
![Page 8: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/8.jpg)
Copyright OpenLogic 2006
More Than A Theoretical Risk: Bad PR?
8
Source: Network World
Source: Matthew Garrett http://www.codon.org.uk/~mjg59/android_tablets/
![Page 9: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/9.jpg)
Copyright OpenLogic 2006
Compliance Concern
9
Many Apps Aren’t Consistently
Complying with Open Source
Licenses
![Page 10: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/10.jpg)
Copyright OpenLogic 2006
Takedown Requests to Android Market
10
Source: Chilling Effects Clearinghouse, Takedown Complaints for Android Market
Feb 2011 = 206 Takedown Requests
![Page 11: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/11.jpg)
Copyright OpenLogic 2006
Research Methodology
! Scanned 635 Top Apps with OSS Deep Discovery ! 123 Android Apps ! 512 iOS Apps
! Picked top paid and free apps across categories ! Identified 68 Apps with GPL, LGPL or Apache
! 52 with Apache ! 16 with GPL/LGPL
! Examined those apps for compliance with key obligations
11
![Page 12: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/12.jpg)
Copyright OpenLogic 2006
Four Areas of Compliance Analyzed
12
Apache GPL/LGPL
Provide copy of license
Notices/Attributions
Provide copy of license
Provide source code
![Page 13: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/13.jpg)
Copyright OpenLogic 2006
Failure to Comply
13
71% of Apps using Open Source
under GPL, LGPL and Apache
do not comply
Comply 29%
Do Not Comply 71%
Source: OpenLogic Mobile Research 3/2011
![Page 14: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/14.jpg)
14
REALLY? Do I need to care?
![Page 15: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/15.jpg)
Copyright OpenLogic 2006
Three Reasons to Comply
1. It’s the right thing to do 2. Protect your IP 3. Money in your pocket
15
![Page 16: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/16.jpg)
Copyright OpenLogic 2006
It’s The Right Thing to Do
Free software… but please
comply
16
![Page 17: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/17.jpg)
Copyright OpenLogic 2006
Protect your IP
Copyleft open source licenses can impact licensing of your IP
17
©©© ©©© ©©©
![Page 18: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/18.jpg)
Copyright OpenLogic 2006
Protect your IP
18
Open Source under “Copyleft”
license Your code
Derivative work? Depends on the license and how you combine the code
Linking
![Page 19: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/19.jpg)
Copyright OpenLogic 2006
Money in Your Pocket
Non-compliance can result in: Takedowns Injunctions Lawsuits
Legal costs
19
![Page 20: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/20.jpg)
20
OK, OK I get it.
![Page 21: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/21.jpg)
Copyright OpenLogic 2006
How to Become A Good Open Source Citizen
1. Understand open source licensing 2. Create an open source policy 3. Track all open source usage 4. Conduct a scan or audit of your code 5. Develop a compliance checklist
21
![Page 22: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/22.jpg)
Copyright OpenLogic 2006 22
1. Understand OSS Licensing
! Official definition of OSS license ! Approved by the Open Source Initiative (OSI)
! http://www.opensource.org/ ! Currently over 60 approved licenses ! Key Criteria
! Free distribution ! Source code is available ! Derived works are allowed ! Non-discrimination
![Page 23: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/23.jpg)
Copyright OpenLogic 2006 23
Categorizing Open Source Licenses
Strings Attached
Liberal
No Strings
Copyleft
Additional Clauses
“Traditional” Open Source
! MIT/X ! W3C
! Original BSD ! Apache Software
License ! Eclipse Public
License
! GNU GPL ! GNU LGPL
! GNU GPL v3 ! Common Public
License ! Mozilla Public
License ! SISSL ! IBM Public
License
![Page 24: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/24.jpg)
Copyright OpenLogic 2006 24
Dependency Issues Impact Licensing
! OSS often depends on or bundles other OSS ! Need to look at all the dependencies and bundled
projects and their licenses ! Important: The licenses may not be the same ! Important: Can be at odds with each other ! Important: Have multiple and conflicting obligations
! Example: ! Geronimo (Apache license) uses MySQL (GPL) through the
MySQL driver (formerly LGPL but now GPL)
![Page 25: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/25.jpg)
Copyright OpenLogic 2006
2. Create an Open Source Policy
! Things to include ! Licenses allowed ! Approval processes ! Audit and compliance processes
! Considerations ! Keep it lightweight ! Don’t let fear guide you
25
![Page 26: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/26.jpg)
Copyright OpenLogic 2006
Elements of an Open Source Policy
! Strategy and Stance ! Sourcing – where developers should get open source ! Certification – what criteria (technical, legal, community) ! Approvals – what needs to be approved by whom ! Approval Criteria – which licenses, packages, usage ! Scanning & Compliance– what audits, when, by whom ! Tracking & Reporting – what needs to be tracked ! Support & Maintenance – what support is required ! Contribution Policy & Community Interactions – what’s allowed ! Open Source Review Board – or designated group to manage policy ! Technical Infrastructure – repository, approval workflow, tracking, scanners
26
![Page 27: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/27.jpg)
Copyright OpenLogic 2006
Strategy
! Pro ? Con ? Neutral ? ! Risk – can vary by use model
! Standalone ! Bundled ! Embedded
! High – Legal Risk, distribution, mission critical, non approved license
! Medium – Customer facing, mission critical, immature community
! Low – not Medium or High
27
![Page 28: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/28.jpg)
Copyright OpenLogic 2006 28
3. Track all Open Source Usage: Why?
! Know what you are using ! Best practices for software asset management
! Identify opportunities for sharing or savings ! Find out what open source is being used so you can leverage expertise, support,
etc. across teams ! Legal & compliance
! Validate that you are complying with licenses ! Be able to determine impact of license changes ! Provide an audit trail for regulatory compliance ! Assess impact of lawsuit or IP infringement
! Maintenance ! Be prepared to handle security patches or critical issues ! Able to plan for maintenance updates
! Support ! Understand level of support necessary ! Share support resources (whether internal or external)
![Page 29: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/29.jpg)
Copyright OpenLogic 2006 29
3. Track all Open Source Usage: What?
! What open source packages are used ! What versions are used ! The exact source/object code ! Where you got it from (source) ! What license it’s under ! What applications it’s used in ! What machines they are used on ! What operating system they are used with ! Whether the project is internal, external or for distribution ! When distributed and to whom ! Approval trail – who approved, when approved, for what
purpose
![Page 30: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/30.jpg)
Copyright OpenLogic 2006
4. Conduct a scan or audit of your code
! Outcome of an OSS audit: ! List of open source packages ! List of open source licenses ! List of license obligations ! List of licenses that may have conflicting terms
! Options ! Scanning tools ! Manual review ! Audit services
![Page 31: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/31.jpg)
Scanning & Compliance
![Page 32: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/32.jpg)
Copyright OpenLogic 2006
Why Scan?
! If distributing and application ! Ensure an accurate bill of materials and bill of licenses and
obligations for license compliance
! If deploying internally ! Understand license obligations – some may apply to internal
use ! Understand support and maintenance requirements for
operational issues ! Ensure policy compliance
32
![Page 33: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/33.jpg)
Copyright OpenLogic 2006
Scanning
! Why Scanning vs Self-reporting? ! Self-reporting is inaccurate because:
! Developers forget about things they included ! Developers often aren’t aware of bundled packages ! Developers often aren’t aware of additional licenses ! Outsourcers are notoriously inaccurate at self-reporting ! Commercial packages may include open source
! Our Application Audit experience ! 100% of our App Audits find much more than the developers reported ! In many cases we find GPL that the company was not aware of
33
![Page 34: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/34.jpg)
Copyright OpenLogic 2006
Best Practices: “Going Forward”
! Start with any upcoming new products/releases ! Baseline current shipping version
! First scan and reconciliation will take the most time ! Delta scans can be done after that
! Scan at multiple points in SDLC ! Scan during development ! Scan prior to ship ! Final scan of shipped code
34
![Page 35: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/35.jpg)
Copyright OpenLogic 2006
Best Practices: “Remediation”
! Consider whether previously shipped products need to be scanned ! Is there a newer version that has been scanned? ! Did we find OSS in later scanned versions? ! How widely used is the product? ! How long has it been out? ! Are most people upgrading to latest versions? ! What is risk we are willing to take?
! Put in place any remediation needed for older products
35
![Page 36: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/36.jpg)
Copyright OpenLogic 2006
About Compliance
! Scanning and reconciliation is only the first step ! You need to ensure you are in compliance ! Expect to spend some “back and forth” time
between legal and development to get it right ! Usage will change obligations that are applicable
! Legal and development will need to work together ! Be aware of your own EULAs/Contracts – they may
need to change
36
![Page 37: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/37.jpg)
Copyright OpenLogic 2006
5. Develop a compliance checklist
! Create a compliance checklist: ! Notices in code and/or documentation ! Source code provided in proper way ! Is there an EULA for your product?
! If there are conflicts or compliance is not possible: ! Can you live without this code? ! Is there an alternative to the code? ! Can you contact the author and ask for an exception/different
license? ! Risk management:
! What is likely to get litigated? ! What are your sticking points that prevent perfect compliance?
![Page 38: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/38.jpg)
Copyright OpenLogic 2006
Special Outsourcing Considerations ! Outsourcer contracts
! Contract should require they fully disclose of all open source and licenses including bundled packages
! Contract should require your approval of open source use and licenses
! May want to require warranty/indemnification if they give you an inaccurate list (Verizon example)
! May want to specify remedies if they screw up and you need to make changes or remove open source
! May want to recommend or require scanning of code ! They do it ! You do it ! They pick or you specify third party service
38
![Page 39: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/39.jpg)
Copyright OpenLogic 2006
Special Outsourcing Considerations
! Outsourcer processes ! Discuss open source with them early in the project ! Plan to get list of open source (through scanning or self-
reporting) early in development cycle ! Get a final list when they provide final code ! Either scan all incoming code that you plan to distribute or
consider spot audits
39
![Page 40: POSSCon-Policy-Preso-3-20-11](https://reader030.fdocuments.in/reader030/viewer/2022020219/568bd97d1a28ab2034a7410b/html5/thumbnails/40.jpg)
Copyright OpenLogic 2006
Thanks!
! Slides? ! www.openlogic.com/downloads ! www.slideshare.net
! Learn more ! www.openlogic.com
! To receive more details ! [email protected]
! Follow ! @openlogic
40