introduction of foss license & fos sology 20130911_v2

Jan. 2012

Introduction ofFree/Open-source Software

Licenseand FOSSology

Ryan ChoJNR321

2013/09/11

Outline

PrefaceFree/Open Source License

History Basic Concept License Categories BSD/MIT, GPL/LGPL, MPL

FOSSology Introduction Result of License Scanning

ConclusionReference

3 Confidential Material for Internal Use Only

PrefaceHow do we programming?


Preface


Preface

Download&

Combine


Preface

Open Source≠

Development Methodology


Preface

Open Source=

License

Outline




ConclusionReference


Free Open Source License - HistoryFree Software

coined in 1985 by Richard M. StallmanGNU operating system began in January 1984Free Software Foundation (FSF) was founded in

October 1985Moral and Spirit as keynote


Free Open Source License - Basic ConceptSpirits of Free Software

Four Freedoms Freedom to run the program Freedom to study and adapt the program Freedom to redistribute Freedom to improve and feedback community


Free Open Source License - HistoryOpen Source Software

Bruce Perens & Eric Steven RaymondOpen Source Initiative (OSI) 1998Eclecticism (折衷主義 )、 Commercial ThinkingQuality as keynote


Free Open Source License - Basic ConceptDefinition of Open-source Software

Six Common Features Open source code No specific authorization object No restrictions on used region No fee for license No accompanying with guarantee Provide derivative works to others


Free Open Source License - Basic ConceptFree SoftwareOpen Source Software, OSSFree/Open Source Software, FOSSFree/Libre/Open Source Software, FLOSS


Free Open Source License - Basic ConceptSimilar terms

Freewave (免費軟體 ) Free to use, no source code

Shareware (共享軟體 ) Usually free to use with time or features limitation, no source code Commercial version for sale

Public Domain (公共財軟體 ) intellectual property rights have expired, have been forfeited, or are inapplicable.


Free Open Source License CategoriesDifferent contents of free license terms

Proprietary Software License

GPL LGPL

AGPL

EPL/CPL

MPL/CDDL

Apache 2.0

MIT/BSDPublic

Domain


License Categories – BSD/MITCopyright (c) <year>, <copyright holder>

All rights reserved.

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

* Neither the name of the <organization> nor the

names of its contributors may be used to endorse or promote products

derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (C) <year> <copyright holders>

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

BSD

MITC

D

C

D


License Categories – BSD/MITC + D

C: Copyright Notice (著作權聲明 )D: Disclaimer (免責聲明 )Users have large scale of usage rights and small amount of obligations

Suggestion to be marked atSource code

Files: README, LEGAL, LICENSEApplication

“About” labelEmbedded system devices

User manual


License Categories – BSD/MIT


Free Open Source LicenseCopyleft

Achieve four freedomsCopyright-basedPre-authorize out the rightsUsers need to authorize their works with the same method

Open my source code for you to modify, you need to open yours with the same rules

Authorizationconstraints


License Categories - GPLGNU General Public License v. 1 (1989)GNU General Public License v. 2 (1991)GNU General Public License v. 3 (2007)Authorization constraints

Viral Effect(授權感染性 )License Capture(授權獲取性 )License Reciprocal(授權互惠性 )License Inheritance(授權繼承性 )

Freedom, Sharing, Reciprocal. We always have to DO this!


License Categories - GPLGPL Schematic diagram

GPL Program

New Program

Modified or Linking

GPL Program


License Categories - GPLWorks Based on the Program

1. Modified A (GPLed) --> A’(GPLed)

2. Used A + B-portion (GPLed) --> A’(GPLed)

3. Linking A + B (GPLed) --> C (GPLed)


License Categories – GPLGPL authorization constraints

A

GPLed A Program B Program

B

Object codeSource code

C

Want to modify

Provideobject code

Ask forsource code

B has obligation to provide source code to

C

Distribution!!!


License Categories – GPLGPLv2 vs. GPLv3

Principle: Incompatible with each other Internationalization: v3 used new terminology, rather than using language tied to

US legal concepts Patents: v3 specifically address patents “Tivo-ization”: v3 address the restrictions (like Tivo’s) in consumer products that

take away, though hardware, the ability to modify the software– DRM: v3 address digital rights management

Termination: v3 addressed specifically what happens if the license is violated and the cure of violations

Exception “GPL version 2 or later” → “GPLv3”

Matrix of GPL compatibility All Compatibility of GPL

http://www.gnu.org/licenses/gpl-faq.html


License Categories - LGPLGNU Lesser General Public License v. 2 (1991)GNU Lesser General Public License v. 2.1 (1999)GNU Lesser General Public License v. 3 (2007)

GNU Library General Public License


License Categories - LGPLLGPL Schematic diagram

LGPL Library

New Library

Modified

LGPL Library


License Categories - LGPLLGPL Schematic diagram

LGPL Library

New Program

Linking

New Program


License Categories - LGPLWorks Based on the Program

1. Modified A (LGPLed) --> A’(LGPLed)

2. Used A + B-portion (LGPLed) --> A’(LGPLed)

3. Linking A + B (LGPLed) --> A + B (LGPLed)


License Categories – GPL/LGPLOpening of GPL authorization constraints

Criteria: Distribution behaviorOccurred obligation: Provide source codeNo distribution behavior, no source code providing

ASP (Application Service Provider)– Does not be restricted by GPL


License Categories – AGPLAGPL

AGPL-3.0, GNU Affero General Public License 3.0 ASP (Application Service Provider) Provides network services = distribution behavior, you must provide source code Except the term XIII, the others is the same as GPLv3


License Categories - AGPLAGPL Schematic diagram

AGPL Program

New Program

Combined / Closely related

AGPL Program


License Categories – GPL/LGPL


License Categories - MPLMozilla Public License 1.1Common Development and Distribution License 1.0Common Public License 1.0 / Eclipse Public License 1.0


License Categories - MPLMPL Schematic diagram (File-separated)

MPL Program

XY

YX

X

X

X

Y

Y

Y X

MPL Program

MPL LicenseX LicenseY License

Compatibility between the License Terms


License Categories - MPLMPL authorization constraints

Partial constraintsCopyleft only for original scope of authorization

Do not affect to infect my codesMPL/CDDL (Files)

Object files comes from MPL/CDDL files need to use MPL/CDDL Our own source code is up to ourselves

EPL/CPL (Modules) Our own Independent module is up to ourselves


License Categories – MPL/CDDL


License CategoriesDifferent Marker, Different Purpose

BSD - Academic institutions - ReputationGPL - Software Developers - Research

Others - Commercial - Benefit


FOSS License CategoriesCommon License Term Sheet

Categories License Terms Full NameBSD class Apache 1.1 Apache Software License 1.1

Apache 2.0 Apache License 2.0BSD New BSD LicenseMIT MIT LicenseZlib/libpng Zlib/libpng License

GPL class GPL GNU General Public License 2.0/3.0LGPL GNU Lesser Public License 2.1/3.0AGPL GNU Affero Public License 3.0

Other class CPL/EPL Common Public License 1.0 / Eclipse Public License 1.0MPL Mozilla Public License 1.1CDDL Common Development and Distribution License 1.0QPL Qt Public License 1.0Artistic 2.0 Artistic License 2.0


FOSS License CompatibilityAn arrow from box A to box B

We can combine software with these licensesCombined result - effectively has the license of B, possibly with additions

from A

A B


FOSS License Compatibility (in Principle) Is it possible to exist different licenses in one program?

◎: it is compatible, it can exist two types of license at the same time◇: it is compatible, but replaced by Green item and eliminated Blue item△: it is compatible, this is special coexisted case for MPL and GPLX: it is not compatible

GPL MPL BSD Specific

GPL × × ◇ ×MPL △ ◎ ◎ ◎BSD × ◎ ◎ ◎Specific × ◎ ◇ Agreement

Outline




ConclusionReference


IntroductionFOSSology (http://fossology.org)

an open source compliance toolset that provides license and copyright discovery

Goal: Create a public open source software repository together with tools to maintain the repository and facilitate analysis, storage, and sharing of metadata

Find and manage licenses in code baseHewlett Packard (HP) initiate FOSSology.Open Source Project - FOSSology Team

Using FOSSologyInstallation - http://fossology.org/downloadOffical demo server at http://repo.fossology.org

http://fossology.org/download

http://repo.fossology.org/


How FOSSology Works

Web GUI Repository

PostgreSQL Agents

filesstore

scan

store result

report

FOSSology


Snapshot - Homepage

Menu


Snapshot - Upload

select folderURL

select analysis


Snapshot - Scanning ProcessScanning process

1. Log into the FOSSology UI

2. Upload compress file by localhost or URL into FOSSology

3. After uploading finish, FOSSology scheduled this new job

4. Job9 - Job11 is processed in sequence

5. Job 12 - Job15 is processed concurrently– Job 12: Copyright/Email/URL Analysis– Job 13: MIME-type Analysis (Determine mimetype of every file)– Job 14: Nomos License Analysis– Job 15: Package Analysis (Parse package headers)


Snapshot - Scanning ResultExample

package name: inadyn


Open Source Software Analysis ToolsFOSSology Black Duck Palamida

Penetration Developed and used by HP Used By Intel, Samsung, AIRBUS Used By IBM, Borland, eclipse

Maturity of software Released in 2008, currently at version 2.0.0 Existed since 2002 Developed since 2003

Technologies used Includes a full web UI using PHP and postgresql. It also includes CLI. Unknown Java

Cost Open Source Paid for service Paid for service

Portability Web application Web application Web application

License GPLv2 / LGPL for some libraries None (Commercial) None (Commercial)

Functions

• Upload software file or any kind of compressed package.• Find licensees in all files based on their license headers• Find copyright notices in all files•Put files in buckets, for example a GPL bucket• Does not do any analyze according to a policy for which licenses to use.

• Searches files for licenses based on license text•Searches files for licenses based on method context• Find license incompatibilities in FOSS• Supports SPDX• Find vulnerabilities in the FOSS used• Searchable codebase for finding proper FOSS• Black Duck releases updates every 3-4 weeks of their KnowledgeBase

• Analyze headers for licenses• Analyze files or chunks of code against a global database consisting of open source software to find undocumentedFOSS.• Scans and finds vulnerabilities as well as licenses


ConclusionAccording to the scanning result, there are some license types

need to take careGPL-related LicenseSee-doc (OTHER)

Possible solutionsOtherwise authorized by original authorReplace GPL-related packageRelease GPL-related partial codeRewrite code

Check License before Using!Standing upon the shoulders of giants to develop!


ReferenceWikipedia

Free SoftwareOpen-source SoftwareGNU General Public LicenseBSD License

Software License Introduction軟體的授權觀念與自由軟體授權條款介紹

OpenFoundary – FOSSology授權條款比較表(原始\修改程式)

GPL FAQ

http://zh.wikipedia.org/wiki/%E8%87%AA%E7%94%B1%E8%BD%AF%E4%BB%B6

http://en.wikipedia.org/wiki/Open-source_software

mailto:http://zh.wikipedia.org/wiki/GNU%E9%80%9A%E7%94%A8%E5%85%AC%E5%85%B1%E8%AE%B8%E5%8F%AF%E8%AF%81

mailto:http://zh.wikipedia.org/wiki/GNU%E9%80%9A%E7%94%A8%E5%85%AC%E5%85%B1%E8%AE%B8%E5%8F%AF%E8%AF%81

http://zh.wikipedia.org/wiki/BSD%E8%AE%B8%E5%8F%AF%E8%AF%81

http://www.slideshare.net/legist/20091113-20091030-revised-2454686

http://www.slideshare.net/legist/20091113-20091030-revised-2454686

http://www.openfoundry.org/index.php?option=com_content&task=view&id=8094&Itemid=4;isletter=1

http://www.openfoundry.org/index.php?option=com_content&task=view&id=8094&Itemid=4;isletter=1

http://www.openfoundry.org/tw/comparison-of-licenses






http://www.gnu.org/licenses/gpl-faq.html

introduction of foss license & fos sology 20130911_v2

Internet