spdx - fossbazaar - licensing - fossa2010
DESCRIPTION
FossBazar-SPDX Initiative Martin Michlmayr Legal Issues The IP licensing initiative of FOSSBAzaar HP OSS Division, Debian, CyriusTRANSCRIPT
The State of Open Source Licensingand Ways to Improve It
Martin [email protected]
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Agenda
Why licensing mattersOpen source licensing
Contributor agreementsCopyright assignment
Tools for the detection of licenses: FOSSologyStandard for exchange of license information: SoftwarePackage Data Exchange (SPDX)
Not covered: licenses; legal advice
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Target audience
Companies using open source, especially those that alsodistribute it
Must understand the importance of honouring licensesIdentify licenses and follow themWork with projects to ensure their intentions are followed
Open source projects
Ensure that licensing is done rightWork with companies that use and distribute their software
Researchers
Can shed light on best practicesCan help improve state of licensing
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Why is licensing an important topic?
Increasing adoption and penetration of open sourceCompanies are getting sued, leading to more awareness:
SCO: question of code ownershipBusyBox, gpl-violations.org: complying with FOSS licenses
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Problems with FOSS licensing
Misunderstanding of FOSS licenses: you have obligationsFOSS licenses and licensing can be complex andcomplicatedKeeping track of what FOSS is being usedKeeping track of FOSS licenses used by an applicationand how they interact
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Your obligations: copyleft
GPL: requires source code to be offered to those whoreceive binariesAGPL: additionally requires that the complete source codebe made available to any network user
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Your obligations: permissive
MIT: The above copyright notice and thispermission notice shall be included in allcopies or substantial portions of theSoftware.
BSD (3 clause): Redistributions in binary formmust reproduce the above copyright notice,this list of conditions and the followingdisclaimer in the documentation and/orother materials provided with thedistribution.
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Who gets sued?
Whoever distributes the software without complianceNo excuses: ‘software from ODM in Taiwan’Indemnification may helpBut reputation is destroyed quickly
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Contributor Agreements
Make legal questions around contributions explicitOften requires copyright assignment or grants
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Fedora Project Contributor Agreement (FPCA)
Defines default licenses that are used unless explicitlicense is givenCurrent defaults:
Code: MITContent: Creative Commons Attribution ShareAlike 3.0Unported
Does not assign copyright to Fedora or Red Hat
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Debian
Every Debian developer has to agree to the DFSG andSocial ContractDFSG: Debian Free Software GuidelinesSocial Contract: Debian will remain 100% free (accordingto DFSG)debian/copyright: describes upstreamcopyright/license and that of packaging
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Linux kernel
Developer’s Certificate of Origin
The contribution was created by me and I the have right tosubmit under indicated open source licenseThe contribution is based on previous work that is alsounder indicated licenseThe contribution was provided directly to me by someonewho certified it and I didn’t modify itI understand that the contribution and project are publicand recorded
Signed-off-by: Martin Michlmayr <[email protected]>
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Copyright assignments
Why?
Preserves the ability to relicense codeEnsures sufficient rights to enforce licences in courtAvoids and prevents later competing copyright claims
Why not?
Gives copyright holder a lot of powerMakes it harder to contribute
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Tools for compliance work
Binary Analysis ToolFOSSologyOpen Source License CheckerProprietary tools from Black Duck, Palamida, etc
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology
FOSSology is a framework to study the source code ofFOSS applications in a number of waysMain functionality: detection of licenses in open sourceapplicationsOriginally developed by HP, it is an open project with anopen source license
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology
You load code into the repositoryYou analyse it and put the results into a databaseYou view the results
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology: the new release
BucketsNew license algorithmCopyright agent
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
FOSSology demo
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Scope of the problem
Prior to distributing a collection of software, each packageneeds to be reviewed to ensure compliance with all thelicenses.Supply chain for products now requires software copyrightand licensing information for lawsuit avoidance and riskmitigation.A package’s declared license may not always match thelicenses of individual files inside the package itself.A package may consist of thousands of files with differentlicenses in the filesNeed a standard way of referring to the legal compliance‘bill-of-materials’ of a software package and be ableexchange information with others.
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Solution: SPDX
Define a file format for license information to accompanyopen source packages
Focus: Just the facts – no interpretations
Benefits
Provides a unified method for exchanging licenseinformationAvoids due diligence redundancy where the same sourcecode package is analyzed multiple times by differentreceivers
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Structure of standard
Identification: meta data to associate analysis results witha specific packageOverview: Facts that are properties for entire package (e.g.package name, declared license)File Specific: Facts that are specific to each file included ina package (e.g. filename, copyright)
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It
Resources
OrganizationsFSF Free Software Licensing and Compliance LabFSFE Freedom Task Force (FTF)gpl-violations.orgOpen Source Initiative (OSI)Software Freedom Law Center
CommunitiesFOSSBazaarFSFE Legal Network
News and journalsGroklawInternational Free and Open Source Software Law Review
ConferencesFSFE ELN (European Legal Network)EOLE - European Open Source Law Event
Software
Martin Michlmayr The State of Open Source Licensing and Ways to Improve It