spdx - fossbazaar - licensing - fossa2010

The State of Open Source Licensingand Ways to Improve It

Martin [email protected]

Martin Michlmayr The State of Open Source Licensing and Ways to Improve It

[email protected]

Agenda

Why licensing mattersOpen source licensing

Contributor agreementsCopyright assignment

Tools for the detection of licenses: FOSSologyStandard for exchange of license information: SoftwarePackage Data Exchange (SPDX)

Not covered: licenses; legal advice


Target audience

Companies using open source, especially those that alsodistribute it

Must understand the importance of honouring licensesIdentify licenses and follow themWork with projects to ensure their intentions are followed

Open source projects

Ensure that licensing is done rightWork with companies that use and distribute their software

Researchers

Can shed light on best practicesCan help improve state of licensing


Why is licensing an important topic?

Increasing adoption and penetration of open sourceCompanies are getting sued, leading to more awareness:

SCO: question of code ownershipBusyBox, gpl-violations.org: complying with FOSS licenses


Problems with FOSS licensing

Misunderstanding of FOSS licenses: you have obligationsFOSS licenses and licensing can be complex andcomplicatedKeeping track of what FOSS is being usedKeeping track of FOSS licenses used by an applicationand how they interact


Your obligations: copyleft

GPL: requires source code to be offered to those whoreceive binariesAGPL: additionally requires that the complete source codebe made available to any network user


Your obligations: permissive

MIT: The above copyright notice and thispermission notice shall be included in allcopies or substantial portions of theSoftware.

BSD (3 clause): Redistributions in binary formmust reproduce the above copyright notice,this list of conditions and the followingdisclaimer in the documentation and/orother materials provided with thedistribution.


Who gets sued?

Whoever distributes the software without complianceNo excuses: ‘software from ODM in Taiwan’Indemnification may helpBut reputation is destroyed quickly


Contributor Agreements

Make legal questions around contributions explicitOften requires copyright assignment or grants


Fedora Project Contributor Agreement (FPCA)

Defines default licenses that are used unless explicitlicense is givenCurrent defaults:

Code: MITContent: Creative Commons Attribution ShareAlike 3.0Unported

Does not assign copyright to Fedora or Red Hat


Debian

Every Debian developer has to agree to the DFSG andSocial ContractDFSG: Debian Free Software GuidelinesSocial Contract: Debian will remain 100% free (accordingto DFSG)debian/copyright: describes upstreamcopyright/license and that of packaging


Linux kernel

Developer’s Certificate of Origin

The contribution was created by me and I the have right tosubmit under indicated open source licenseThe contribution is based on previous work that is alsounder indicated licenseThe contribution was provided directly to me by someonewho certified it and I didn’t modify itI understand that the contribution and project are publicand recorded

Signed-off-by: Martin Michlmayr <[email protected]>


Copyright assignments

Why?

Preserves the ability to relicense codeEnsures sufficient rights to enforce licences in courtAvoids and prevents later competing copyright claims

Why not?

Gives copyright holder a lot of powerMakes it harder to contribute


Tools for compliance work

Binary Analysis ToolFOSSologyOpen Source License CheckerProprietary tools from Black Duck, Palamida, etc


FOSSology

FOSSology is a framework to study the source code ofFOSS applications in a number of waysMain functionality: detection of licenses in open sourceapplicationsOriginally developed by HP, it is an open project with anopen source license


FOSSology

You load code into the repositoryYou analyse it and put the results into a databaseYou view the results


FOSSology demo


FOSSology: the new release

BucketsNew license algorithmCopyright agent


FOSSology demo


Scope of the problem

Prior to distributing a collection of software, each packageneeds to be reviewed to ensure compliance with all thelicenses.Supply chain for products now requires software copyrightand licensing information for lawsuit avoidance and riskmitigation.A package’s declared license may not always match thelicenses of individual files inside the package itself.A package may consist of thousands of files with differentlicenses in the filesNeed a standard way of referring to the legal compliance‘bill-of-materials’ of a software package and be ableexchange information with others.


Solution: SPDX

Define a file format for license information to accompanyopen source packages

Focus: Just the facts – no interpretations

Benefits

Provides a unified method for exchanging licenseinformationAvoids due diligence redundancy where the same sourcecode package is analyzed multiple times by differentreceivers


Structure of standard

Identification: meta data to associate analysis results witha specific packageOverview: Facts that are properties for entire package (e.g.package name, declared license)File Specific: Facts that are specific to each file included ina package (e.g. filename, copyright)


Resources

OrganizationsFSF Free Software Licensing and Compliance LabFSFE Freedom Task Force (FTF)gpl-violations.orgOpen Source Initiative (OSI)Software Freedom Law Center

CommunitiesFOSSBazaarFSFE Legal Network

News and journalsGroklawInternational Free and Open Source Software Law Review

ConferencesFSFE ELN (European Legal Network)EOLE - European Open Source Law Event

Software


spdx - fossbazaar - licensing - fossa2010

Technology