Beware ofyour creations

iText,a Free / Open Source PDF libraryCase Study: IPR projectby Bruno Lowagie

2/20

What is iText?

If you want to find our more about iTextvisit http://www.lowagie.com/iText/Or read the book “iText in Action”

iText is a Free / Open Source Software library that allows Java and .Net developers to enhance their applications with PDF generation and manipulation functionalities. iText is used by Google, Adobe, JasperSoft, IBM, NASA, the DoD, KLM, NMBS, FedEx, UPS, many different governments, banks, insurance companies, and so on.

3/20

Context of the IPR project

IBM and SUN are competitorsIBM created the Eclipse Foundation to compete with SUN on the Java frontEclipse is an Integrated Development Environment (IDE)Eclipse is a Java oriented Open Source CommunityEclipse offers a suite of Open Source productsDifferent Eclipse projects are lead by different companies; Each project/product has its own release cycle

4/20

Context of the IPR project

The Callisto Simultaneous Release (july 2006) was the first time a suite of selected products was released simultaneouslyThis release was fully tested by IBM and hosted on servers from the Eclipse Foundation.Eclipse/BIRT was part of this simultaneous releaseEclipse/BIRT is a Business Intelligence & Reporting Tools project lead by ActuateEclipse/BIRT uses iText for PDF Generation

5/20

Context of the IPR project

IBM only wanted to host iText on their servers if:The iText license (MPL/LGPL) was changed to EPLThe iText code was vetted and accepted by IBM’s legal department: the IP of the iText source code had to be 100% OK.

None of these conditions were met; as a result iText was not a part of the Callisto Simultaneous Release; users had to download it separately.

The Eclipse Foundation tried to put pressure on Bruno to release iText under the EPL.

6/20

Context of the IPR project

Bruno’s response:Changing to EPL is a No-Go for the iText community.If IBM doesn’t want to use iText: it’s not our problem; it’s IBM’s problem! But Actuate wanted to use iText…Solution: a Research Agreement was signed between Actuate and Ghent University (Bruno’s employer) to create a detailed IP Report for iText and to solve all possible IP issues reported by IBM Canada.The goal was the integration of iText in the Eclipse Europe release (july 2007). By the way: we made the release!

7/20

The Problem with F/OSS Software

A F/OSS library is a joined effort of many different people.A F/OSS library such as iText grows organically.Looking at the source code of many projects, you have:

a White zone: code of which the IP is 100% clear; you know because you have written the code yourself.a Gray zone: code that was contributed by others. Where did they get this code? Did they write the code? Were they allowed to contribute that code?a Black zone: code that was integrated in the library, but for which there was no license or authorization.

8/20

The White Zone

You have written the code yourself, but…What about your employer? Does your employer own (part of) the code? Do you have a formal agreement with your employer with respect to F/OSS?Where did you get your inspiration? IBM developers are forbidden to look at any code that is not formally approved by IBM’s legal team. Good practice or burden?

Note: you don’t always need to own the IPR to do business with F/OSS! For instance: in the past, iText licenses were sold by PDF Sages (now acquired by Adobe Systems)

9/20

The Gray Zone

The code was contributed, but…Did the contributor agree with the license?Did the contributor’s employer agree?Where did the contributor get his inspiration?

The Apache Foundation demands contributors and their employers to sign a Contributor License Agreement (CLA)

SUN demands contributors to sign a Sun Contributor Agreement (SCA) from the moment the contributions contain more than 20 lines of code

10/20

The Gray Zone

The code was taken from another project, but…Are the licenses compatible?Do you respect the other project’s license?Where did the other project get its code from?

Always keep an online inventory of:All Contributors (if possible: let them sign a CLA)All F/OSS Projects used (subset / derivative work)

11/20

The Black Zone

Unfortunately it may happen that you were not allowed to use some specific code that is part of your project.

Solution:either you ask (and get!) permission,or you remove the code.

12/20

Examples

Turning Gray and Black into WhiteA selection of issues that were solved in the context of the

Research Agreement between Actuate and GhentUniversity. These issues were reported by IBM’s Legal Department in Canada.

These issues were solved by Bruno Lowagie, and they givean idea of the work involved when maintaining a successful F/OSS project.

Writing code is the easy part of the job ;-)

13/20

Example 1: JavaWorld article

State Machine to parse XML quickly:http://www.javaworld.com/javaworld/javatips/jw-javatip128.htmlSource code taken from/inspired by this articleFine print: http://www.javaworld.com/javaworld/common/jw-copyright.htmlCopyright - All contents of JavaWorld, including text, programs, applets, source code, and images are copyrighted and owned by IDG or the copyright holder specified, all rights reserved. No material may be reproduced electronically or in print without written permission.

Solution: write JavaWorld and author, get permission! There were many other places where licenses were incomplete or missing!

14/20

Example 2: RC4

Class names and variable names referring to RC4

RC4 was initially a trade secret, but in September 1994 a description of it was anonymously posted to the Cypherpunks mailing list.It was soon posted on the sci.crypt newsgroup, and from there to many sites on the Internet. Because the algorithm is known, it is no longer a trade secret.The name "RC4" is trademarked, however. The current status seemsto be that "unofficial" implementations are legal, but cannot use the RC4 name.RC4 is often referred to as "ARCFOUR" or "ARC4" (meaning AllegedRC4, because RSA has never officially released the algorithm), to avoid possible trademark problems.

Solution: change RC4 into ARCFOUR in all files

15/20

Example 3: IntHashtable

Class IntHashtableTaken from ACME.com

// This is 90% based on JavaSoft's java.util.Hashtable.// Visit the ACME Labs Java page for up-to-date versions of this and other// fine Java utilities: http://www.acme.com/java/

JavaSoft is a name used by Sun in the past in their Java activities.Sun indicates use of the class java.util.Hashtable which is subject to unfriendly Sun licenseIt is unlikely that this code is available under a license that permits this use. Without information indicating that Sun approved of this usage the class should not be used.

Solution: use the same class released by Apache under the APL in Apache-Commons instead of the ACME class.

16/20

Example 4: EPS

EPS FunctionalityTaken from an example released by SUN under a Sample License.The Sample License allowed the use of the code, but the source code contained this text:/** Copyright 1998 by Sun Microsystems, Inc.,* 901 San Antonio Road, Palo Alto, California, 94303, U.S.A.* All rights reserved.** This software is the confidential and proprietary information* of Sun Microsystems, Inc. ("Confidential Information"). You* shall not disclose such Confidential Information and shall use* it only in accordance with the terms of the license agreement* you entered into with Sun.*/

Solution: after a very long argument about this comment section versus the Sample License, EPS functionality was dropped.

17/20

Example 5: Fedora Linux and nuclear facilities

JAI codeTaken from JAI (by SUN) originally released under a very liberal License.However, the license text contains the following clause:/** You acknowledge that Software is not designed, licensed or* intended for use in the design, construction, operation or* maintenance of any nuclear facility.*/

As long as the word “license” isn’t removed, iText can’t be distributed with Fedora Linux.

Solution: direct communication with the core developers to solve the problem.

18/20

Finally

You can save a lot of work by doing things the right way right from the start.

If it’s too much work, or if it gets in the way of doing your work, you are not alone!

19/20

Finally

If you have built castles in the air,Your work need not be lost;That is where they should be.Now put the foundations under them.

(Henry David Thoreau – Walden)

20/20

Questions

Q & A