101 Open Source Course

Agenda
Introduction - Basic concepts – Copyright, copyleft, derivative work, etc…

Software license categories – Proprietary, Open source, Free software, Public Domain…

Latest trends in licensing – Source-Available Software, Commons clause…

License Identification – Find out the applicable license of open source software

Usage and distribution – Modifying and linking open source, derivative work, distribution chain,…

Product examples – Two examples representing different compliance challenges

Set up your compliance process – What to think when setting up a process at your company
 Thanks Wikipedia.

Copyright definition
Legal right that grants the creator of an original work

literary works music photography paintings motion pictures software

exclusive rights to its use and distribution

reproduce perform modify distribute

with the intention of enabling the creator to receive a compensation

for a limited period of time*

*Specifics differ by jurisdiction.

Exclusive rights exercise
Magnus

Play it only on your radio

channel

Pay me every time you

play it

Sven

Perform in any way you

want

Play it anytime
anywhere

Always credit
me
Exclusive rights exercise
Magnus
Use it only in video
games

Run it only on Intel

processors

Pay me every time you sell

it within your product

Sven
Run it for any
purpose

Free to modify
it

Free to
distribute it

Always credit the author

 Derivative work
Expressive creation that includes mayor copyright-
protected elements of an original previously created first
work (underlying work)
Leonardo da Marcel Duchamp
Vinci
1919
1519

Additions to the Mona

Mona Lisa Lisa:
Moustache
L.H.O.O.Q.

*Copyright protection = Authors life + 70 years (depends on jurisdiction)

 Derivative work
Expressive creation that includes mayor copyright-
protected elements of an original previously created first
work (underlying work)
 Copyleft
A form of licensing that was initiated by the Free
Software movement.

Copyrig Copyleft
Legal right that grants ht
the Offering people the right to freely
creator of an original work distribute copies and modified
exclusive rights to its use and versions of a work
distribution
Exists within the legal structure of
copyright
Agenda
Introduction - Basic concepts – Copyright, copyleft, derivative work, etc…

Software license categories – Proprietary, Open source, Free software, Public Domain…

Latest trends in licensing – Source-Available Software, Commons clause…

License Identification – Find out the applicable license of open source software

Usage and distribution – Modifying and linking open source, derivative work, distribution chain,…

Product examples – Two examples representing different compliance challenges

Set up your compliance process – What to think when setting up a process at your company
License categories

Copyright protected Public Domain

Copyright protection expired
Open source Proprietary or
Anonymous authorship

Free Software Open source

Copyleft Permissive

*FOSS, FLOSS, OSS

 Free Software vs Open Source
Free Software - Copyleft Open Source - Permissive

Governed by the Governed by the

Free Software Foundation (FSF) Open Source Initiative (OSI)

They keep a list of accepted licenses They keep a list of accepted licenses
GPL, LGPL, AGPL, MPL, EPL,... BSD, MIT, Apache License, ...

They are refferred to as: They are reffered to as:

Copyleft, Restrictive, protective, reciprocal… Permissive, Non-copyleft

*Both the OSI and the FSF have copyleft and non-copyleft licenses in their respective lists of
accepted licenses
 Free Software vs Open Source
Free Software - Copyleft Open Source - Permissive

Free Software Foundation (FSF) Open Source Initiative (OSI)

Founded in 1985 by Founded in 1998 by
Richard Stallman Eric S. Raymond and Bruce Perens

Non-profit organization Non-profit organization

Defend the rights of all software users Educates about and defends open source

This is a social movement. They are ”software Promotes this model of collaboration for companies.
activists”.

Open Source is what complies with the OSD

Free software is software that ensures the user’s
freedoms Similar benefits but less restrictions

Run, Study, Share, Modify

 Free Software vs Open Source
Free Software - Copyleft Open Source - Permissive

Free Software Foundation (FSF) Open Source Initiative (OSI)

Founder: Richard Stallman Co-founder: Eric S. Raymond

Created GNU Project Released Netscape’s source code

Activist, software hippie He also defends proprietary software
“A proprietary program puts its developer or owner “I think that if a programmer wants to write a program and
in a position of power over its users. This power is sell it, it's neither my business nor anyone else's but his
in itself an injustice.” customer's…“
FSF website Essay in 2008
 Some Historical Facts
Richard Linux Torvalds Eric Raymond
Stallman

GNU FSF Linux

GPL OSI
Project 1985 (GNU tools) 1992 1998
1983 1991

1990 1996 2000

Xerox 9700 printer - AI lab at MIT Linus visits aquarium, gets bitten by
No source code for drivers a penguin and chooses it as Linux
mascot (Tux)
https://www.reddit.com/r/linux/comments/cqf3hf/floss_timeline_1980_2000/
 License and Project Examples
Free Software - Copyleft Open Source - Permissive

License License
Examples:
GPLv2, GPLv3 - GNU General Public License
Examples:
BSD License - Berkeley Software Distribution
LGPLv2.1, LGPLv3 - GNU Lesser General Public
MIT License - Massachusetts Institute of Technology
License
Apache License
MPL - Mozilla Public License
EPL - Eclipse Public License
Project Project
Examples: Examples: Android (Apache) – Most used
Linux (GPL v2) – Most deployed OS
mobile OS
GCC (GPL v3) – Most popular Apache (Apache) – Most used web
compiler server
Firefox (MPL) – Top 5 most used PHP (PHP) – Popular server scripting
browser language
Eclipse (EPL) – Most used IDE Python (Python) – Popular high-
level language
 License Spectrum

GPL v3

GPL v2 MIT

LGPL v3
BSD
LGPL v2.1
Apache License v2
MPL

COPYLEFT PERMISSIVE
Other Licenses - License Fragmentation

Beer-ware License WTFPL (Do What the Fuck You Want To Public
/* * ----------------------------------------------------------------------------
* "THE BEER-WARE LICENSE" (Revision 42): DO WHAT THE FUCKLicense)
YOU WANT TO PUBLIC LICENSE
* As long as you retain this notice you can do whatever you Version 2, December 2004
want with this
* stuff. If we meet some day, and you think this stuff is worth Copyright (C) 2004 Sam Hocevar <[email protected]>
it, you can
* buy me a beer in return Poul-Henning Kamp Everyone is permitted to copy and distribute verbatim or
* ---------------------------------------------------------------------------- */ modified copies of this license document, and changing it is
allowed as long as the name is changed.

Chicken Dance License (CDL) DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE TERMS AND
/* … CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
* For every thousand (1000) units distributed… at least half of
the employees 0. You just DO WHAT THE FUCK YOU WANT TO.
* or persons affiliated with the product must listen to the “The
Chicken Dance” *FSF approved
* composed by Werner Thomas for no less than two (2) minutes.
* For every twenty-thousand (20000) units distributed, one (1)
or more persons
* affiliated with the entity must be recorded performing the full
Chicken Dance,
* in an original video at the entity's own expense…
*…
*/
Agenda
Introduction - Basic concepts – Copyright, copyleft, derivative work, etc…

Software license categories – Proprietary, Open source, Free software, Public Domain…

Latest trends in licensing – Source-Available Software, Commons clause…

License Identification – Find out the applicable license of open source software

Usage and distribution – Modifying and linking open source, derivative work, distribution chain,…

Product examples – Two examples representing different compliance challenges

Set up your compliance process – What to think when setting up a process at your company
 License Spectrum

GPL v3

GPL v2
Source-available
LGPL v3 MIT Commons Clause

LGPL v2.1 BSD RSAL*

Commercial
Microsoft Shared Source
MPL Apache License v2 licenses

COPYLEFT PERMISSIVE PROPRIETARY

*Redis Source Available License

 SOURCE-AVAILABLE SOFTWARE

Uses source code distribution model

Does NOT meet all open source criteria

Started in 2018 by Heather Meeker and FOSSA

(Commons Clause)

Commons Clause
Redis Source Available License (RSAL)
GitLab Enterprise Edition License (EE License)
Mega Limited Code Review License
Microsoft Shared Source Initiative (2 out of 5
licenses)
SFE Legal Network conference - Barcelona 2019
 commonsclause.com

On August 22, 2018 -> Redis Labs shifted some modules from AGPL to Apache + Commons Clause
Agenda
Introduction - Basic concepts – Copyright, copyleft, derivative work, etc…

Software license categories – Proprietary, Open source, Free software, Public Domain…

Latest trends in licensing – Source-Available Software, Commons clause…

License Identification – Find out the applicable license of open source software

Usage and distribution – Modifying and linking open source, derivative work, distribution chain,…

Product examples – Two examples representing different compliance challenges

Set up your compliance process – What to think when setting up a process at your company
How to identify the applicable license?
Three common places to find the applicable license of a project

1 Inside the source code

2In the root directory of a project
3In the project’s website

Let’s look at some examples

 But keep in mind…

Publicly available code is not always open source If not clearly stated, assume it’s
proprietary
Projects sometimes include other licenses inside You need to be compliant with
underlying licenses too
Copy pasted code also carries license obligations Stackoverflow user contributions
CC-BY-SA 4.0*
License text should be reviewed/scanned Sometimes there are
modifications or additions

*Creative Commons Attribution-Share Alike

https://stackoverflow.com/help/licensing
Reference:
https://github.com/PocketWarriors/S
kywarsPe/commits/master/LICENSE
Agenda
Introduction - Basic concepts – Copyright, copyleft, derivative work, etc…

Software license categories – Proprietary, Open source, Free software, Public Domain…

Latest trends in licensing – Source-Available Software, Commons clause…

License Identification – Find out the applicable license of open source software

Usage and distribution – Modifying and linking open source, derivative work, distribution chain,…

Product examples – Two examples representing different compliance challenges

Set up your compliance process – What to think when setting up a process at your company
 Usage Examples
Free Software - Copyleft Open Source - Permissive

1. Derivative works (modifications) : 1. Derivative works (modifications):

Copyleft Permissive
Modifications Modifications

2. Combined works (linking) : 2. Combined works (linking) :

Proprietary
Proprietary Derivative work* Proprietary

Copyleft Permissive
*License propagation, Copyleft No license
effect propagation

*Please do not refer to derivative works of software as contamination.

 How to identify derivative work?
It really differs from the license and project…

LGPL License Linux Derivative work is defined by Linus

Derivative work depends on how it’s Torvalds himself in the linux-syscall-note**
linked*: file:
Statically -> generally accepted as Derivative work NOTE! This copyright does *not* cover user programs
Dynamically -> generally accepted as No derivative workthat use kernel
services by normal system calls - this is merely
considered normal use
A program that contains no derivative of any
of the kernel, and does *not* fall under the heading of
portion of the Library, but is designed to work
"derived work".
with the Library by being compiled or linked with
Also note that the GPL below is copyrighted by the Free
it, is called a "work that uses the Library". Such a
Software
work, in isolation, is not a derivative work of the
Foundation, but the instance of code that it refers to (the
Library, and therefore falls outside the scope of
Linux
this License.
kernel) is copyrighted by me and others who actually
wrote it.
*Paragraph 5 of the LGPL version 2.1
**https://github.com/torvalds/linux/blob/master/LICENSES/exceptions/Linux-syscall-note
 Distribution Examples
Copyleft Permissive

Free Free Open

Proprietary
Software Software Source

Source code Attribution Source code Attribution

Rights to Run Source code Rights to Run
Study Rights to Run Study
Share Study Share
Modify Share Modify
Modify

Business friendly
Agenda
Introduction - Basic concepts – Copyright, copyleft, derivative work, etc…

Software license categories – Proprietary, Open source, Free software, Public Domain…

Latest trends in licensing – Source-Available Software, Commons clause…

License Identification – Find out the applicable license of open source software

Usage and distribution – Modifying and linking open source, derivative work, distribution chain,…

Product examples – Two examples representing different compliance challenges

Set up your compliance process – What to think when setting up a process at your company
Two challenges on how to do compliance

Mixing proprietary and FOSS Multiple SW suppliers

 License Spectrum

GPL v3

GPL v2

LGPL v3 MIT Commons Clause

LGPL v2.1 BSD RSAL

Commercial
Microsoft Shared Source
MPL Apache License v2 licenses

COPYLEFT PERMISSIVE PROPRIETARY

Use Case Product Software Due diligence

1 Proprietary Nothing
Buyer A
Product A

1. Credit the author

Proprietary (attribution)
2 BSD Notice file
Buyer B
Product B

1. Credit the author

(attribution)
Proprietary 2. Derivative Work?
3 Product C
GPLv2
3. Share the source code
Buyer C

Proprietary 1. All the above and…

4 Product D
Reflash the hardware
Remove hardware Buyer D
restrictions
 In-house applications and
development
Supplied internally
Native apps: Climate control
Proprietary platform adaptations

3rd party applications

Supplied by software companies or freely available
Managed apps: Music services or social networks
All dependent on open source libraries
Middleware
Available via GENIVI platform
Dozens of open source components and corresponding dependencies

Operating system
Supplied by commercial Linux distributor (or in-house Yocto based)
Dependent on hundreds of open source packages
Drivers for specific HW modules
Open source reports
Provided by suppliers along with their sw deliveries

SPDX data (spdx.org) and other materials open

source licenses governing a software deliverable
may require

Report accuracy depends highly on supplier’s OSS

mgmt maturity (Open Chain certified?)
Supplier OSS management
Gather all information from suppliers

Essential for your own OSS mgmt work

Essential for your compliance work

Essential for your security vulnerability mgmt

What if…
There is a missing package in the report?

OSS policies might be violated

Compliance work is jeopardized

Security vulnerabilities might go unnoticed

What if…
The wrong package version is reported?

A different license might apply

Compliance work is jeopardized

Security vulnerability info would be incorrect

Agenda
Introduction - Basic concepts – Copyright, copyleft, derivative work, etc…

Software license categories – Proprietary, Open source, Free software, Public Domain…

Latest trends in licensing – Source-Available Software, Commons clause…

License Identification – Find out the applicable license of open source software

Usage and distribution – Modifying and linking open source, derivative work, distribution chain,…

Product examples – Two examples representing different compliance challenges

Set up your compliance process – What to think when setting up a process at your company
 1. Be efficient through well defined OS Policies:
Use as much existing software as you can to cut
time-to-market

The ultimate smart

microwave is not 2. Create and enforce open source intake process:
going to make itself: Allow developers to apply for open source that complies
with your policies.
3. Be compliant:
- Shortest time to Scan regularly to verify approved open source and detect
At the time of
market unapproved.
Applies for OS Reuses Copy-pastes distribution you need
- Lowest dev. cost component previously code from the to be compliant with
possible usage approved internet all included licenses
- No copyright component
infringement

Development Distribution
 Open source scanning
Scans against a huge database of open source and find matches...

Components Files Code Snippets

 *Thank you

Set up your compliance process

Ibrahim
Haddad!

Proprietary Sw Notices
3rd Party Sw Source code
Open source Sw Written Offer

There are 9 key steps in an end-to-end compliance process:

1. Identification of incoming source code 7. Updating product documentation to
reflect open source usage
2. Auditing source code
8. Performing verification to all steps
3. Resolving any issues uncovered by the audit
previous to distribution
4. Completing appropriate reviews
9. Distributing source code packages and
5. Receiving approval to use open source performing final verifications in relation
6. Registering open source in the software to distribution
inventory
 Derivative work criticism is old!

“Linux is a cancer that attaches itself

in an intellectual property sense to
everything it touches”
Steve Ballmer 2001, Former Microsoft CEO

Today MSFT is one of the largest contributors to

the open source community.
 What to consider?
If you are considering to acquire a
company:
Think of… Because maybe…

How much is their innovation? 95% of it could be just existing open source…
Are there licenses that could jeopardize their IP? Copy pasted copyleft that
could propagate…
Are they mature with open source compliance? Already released products with
compliance problems…
Do they have proper open source policies? There are license incompatibilities…
Do they keep track of existing vulnerabilities in OSS? Their software might have known
vulnerabilities…
Want
What is their patent to avoid surprises? Do an
context? open
There are source and that could
existing patents
affect the business…
patent screening audit