Where’s the license?
Transcript of Where’s the license?
Protecode Inc. 2014 2
Agenda
Why Licensing Matters
What defines Free and Open Source Software
Where to look
What to do with licenses found
Tools and Resources
Q & A
Normand Glaude,COO, Protecode
Disclaimer: I am not a lawyer. The material presented in this webinar in for informational purposes only and not for the purpose of providing legal advice.
Protecode Inc. 2014 3
Open Source Software
The good: enables rapid software development– Easy access to code, hundreds of thousands of projects – Faster, more functional– Enables new business models
The challenge: Uncertain ownership structure– Intellectual property - copyright, license– Requires due diligence
Protecode Inc. 2014 4
Why Licensing Matters
Copyright Laws are (mostly) Universal– Governed by the WTO, 168 states parties to the
Berne Convention• Copyright is automatic, whether registered or not
Open Source Licenses– Copyright owner’s way of giving right to use– Most open source licenses have obligations – May or may not suit your business model
Protecode Inc. 2014 5
FOSS, as in Free Software?
Free Software, according to the Free Software Foundation:“Free software” means software that respects users' freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”.
Source: http://www.gnu.org/philosophy/free-sw.html
“… Open Source misses the point of Free Software.”Source: http://www.gnu.org/philosophy/open-source-misses-the-point.html
Protecode Inc. 2014 6
FOSS, as in Open Source Software?
The Open Source Definition, according to the Open Source Initiative:
1. Free Redistribution
2. Source Code
3. Derived Works
4. Integrity of The Author's Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology-Neutral
Source: http://www.gnu.org/philosophy/open-source-misses-the-point.html
Protecode Inc. 2014 7
Where to find licensing information
Everywhere!– Any and every file in the package
• Source code, header files, license files, readme, archives…
– Even outside the package• Website, forums
Information to consider– Full License Text– References to licenses– Documentation that clarifies licensing– Location where references/text was found– Documentation external to package
Protecode Inc. 2014 8
File License
Reference to license information– Typically found in the header section of the file– Generally applies to the whole file (sometimes to code snippet)– Impractical to include complete license text
Protecode Inc. 2014 10
Full License Text
Required by all licenses– Web sites and links change over time– A package is transferred as a unit == does not change
Contains– Permissions, conditions, obligations, disclaimers, exceptions,
etc.
Location Matters!– Where did you find the license file?
• At the root of the package?• In a sub-folder?• In a documentation folder?
– What is the scope of the license?
Protecode Inc. 2014 12
License Notices
Documentation about licenses– Often found at or near the root of a package– Contain statements and clarification about licenses
• Are they it conjunctive (AND) or disjunctive (OR)• Are 3rd party components included or packaged separately
– Understand structure of package
Often depends on hosting forge and language– Examples:
• Github license.md, readme.md• Ruby packaged as Gem files with embedded license tags
Internal and External References
Protecode Inc. 2014 14
Project Types
Simple– Homogenous licensing– Original content, no 3rd party included in packagesExample: Apache HTTPClient
Composite– Mixed or homogenous licensing– Some original content, some 3rd partyExample: Vaadin
Distributions– Mostly mixed licensing– Mostly repackaged 3rd party– Generally well structured, many packagesExample: 4MLinux
Protecode Inc. 2014 15
So, which license applies?
Dual and multi-licensing– Pick one
Relicensing vs. sublicensing– Pick
Compatibility of licenses– Incompatibilities mostly with copyleft licenses– GPL incompatibilities well documented
Files with no copyright– Who’s creation?
Ask for clarification!
Protecode Inc. 2014 16
Tooling
Free Tools– Perform a superficial scan of the source code
• Fossology (http://www.fossology.org)
• SPDX (http://spdx.org)
• Windriver (http://spdx.windriver.com)
• Ninka (http://ninka.turingmachine.org)
Commercial tools– Perform a deep scan of the source code,
archives and binaries• Use a reference database• Identify full file content AND code snippet• Find project information,
– source repositories, security vulnerabilities, etc.
– Perform local scan of the source code• Identify attributes of proprietary software, not found in reference DB
Protecode Inc. 2014 17
Automated Software Scanning
Automated Scan (Protecode Enterprise AnalyzerTM)• Target files: source code, binaries, archives• Information files
– README, COPYING, LICENCE.txt, etc.• Two-step scan:
1. Local scrubbing of software files2. Similarity with public-domain OSS
• Fast: ~ 4k files (100 – 200 Mbytes)/hour
Raw machine output• OSS projects, packages, versions,
licenses, copyrights, vulnerabilities,encryption content, etc.
• Modified/unmodified software• Proprietary, unknowns, conflicting licenses, etc.
Protecode Inc. 2014 18
Typical Licensing Issues Uncovered in Open Source OSS content with ambiguous / no license terms
– Software with copyrights but no licenses– Software with authors but no copyrights / licenses– Software with no pedigree information– Software with conflicting license information– Public domain software with proprietary licenses
Licenses business model mismatch– i.e. modified restrictive/copyleft licensed content in
closed source commercial software– Cloud deployments and newer license models– Warranties and support models– Attribution obligation
Protecode Inc. 2014 19
Open Source License Resources
Software Freedom and Intellectual Property Law
by Lawrence Rosen
• http://www.rosenlaw.com/oslbook.htm
Open Source Initiative
• http://opensource.org/licenses
Free Software Foundation
• https://www.fsf.org/
SPDX: Software Package Data Exchange®
• http://spdx.org
Fossology
• http://www.fossology.org/
Contact Us:
[email protected]://protecode.com
Please type your questions into the chat box to the right.