LinuxCon Europe 2014: License Compliance and Open Source Software Logistics for Cloud-Based Applications

LICENSE COMPLIANCE AND OPEN SOURCE SOFTWARE
LOGISTICS FOR CLOUD-BASED APPLICATIONS
© 2014 Black Duck Software, Inc. All Rights Reserved.
Kirsten Newcomer
Director of Product Management, Black Duck Software
@black_duck_sw

DISCLAIMERS
I AM NOT A LAWYER
THIS TALK DOES NOT PROVIDE LEGAL ADVICE
2 © 2014 Black Duck Software, Inc. All Rights Reserved.

2014
the future of
OPEN
SOURCE
+

RECORD-BREAKING RESPONSES
1240
2014
822
740 2013
2012
SURVEY
RESPONDENTS
453
2011
THE FUTURE OF OPEN SOURCE 4

42%
vendor
58%
non-vendor
5
SURVEY
RESPONDENTS

ROLES
Software
engineer/
developer
VP
ANALYST CEO/founder
CIO
EDUCATOR
LINE OF
BUSINESS
MANAGER
MARKETING
SYSTEM ARCHITECT/ENGINEER
OTHER
SALES/BUSINESS
DEVELOPMENT
IT MANAGEMENT & STAFF
6
LAWYER/
INVESTOR
PRESIDENT
SURVEY
RESPONDENTS

THE RISE OF SaaS AMONG OPEN SOURCE
VENDORS
2014
SOFTWARE AS A SERVICE (SaaS)
60%
SaaS MOVED TO #1 FROM 2013
2013
47%
2012
40% 7

OPEN SOURCE CENTRAL ACROSS TECHNOLOGY
63%
CLOUD/
VIRTUALIZATION
57%
CONTENT
MGMT
MOBILE SECURITY COLLABORATION NETWORK
MGMT
SOCIAL
MEDIA
MAIN AREAS WHERE OPEN SOURCE IS LEADING
THE TECHNOLOGY INDUSTRY
3D PRINTING ANALYTICS AND
BUSINESS
INTELLIGENCE
DRONES GAMING ERP
53% 51%
49% 48%
46%
27% 26%
13% 12%
10%
8

OPEN API FUELS OPEN SOURCE
14%
Don’t
Know/Not
Sure
9%
Will
Substitute for
or Inhibit
Growth
68%
Will Reinforce Growth/Adoption
7%
Will Have No
Impact
9

WHAT ELSE DID WE LEARN?

CORPORATE PARTICIPATION IN OSS
OVER 50%
OF ALL ENTERPRISES ARE
EXPECTED TO CONTRIBUTE TO AND
ADOPT OPEN SOURCE
11

CORPORATE PARTICIPATION IN OSS
30%
MAKE IT EASY FOR EMPLOYEES TO PARTICIPATE OR
START THEIR OWN OPEN SOURCE PROJECTS
12

NEW PEOPLE IMPACTING OPEN SOURCE
13
More Important
Than any Other Factor 2X
#1
FACTOR IN EXPLOSION OF SMALL
PROJECTS IS FIRST TIME
DEVELOPERS PARTICIPATING IN
OPEN SOURCE

SO, HOW DOES THE RISE OF SAAS AFFECT YOU?
Odd’s are good that you’re going to be working with open source
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)
A quick refresher is in order…
• Goals of open source licenses
• Categories of licenses

OPEN SOURCE DEFINITION
1. Free Redistribution
2. Program must include Source Code and must allow distribution
in source code as well as compiled form
3. Must Allow Modifications and Derived Works
4. Integrity of the Author's Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License – no additional license can be required of
others who redistribute the program
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology-Neutral – not predicated on any
individual technology

THE OSS LICENSE CONTINUUM
Permissive
GPL
LGPL MPL
X11/MIT
Apache
BSD
Stronger
Copyleft
Permissive licenses
Restrictive
Weaker Copyleft
AGPL

COMMON MYTHS ABOUT OPEN SOURCE
“Open source is in the public domain."
"All open source licenses
are reciprocal/copyleft…"
"None of these
agreements are
enforceable so it doesn’t
really matter anyway."
"If I don’t distribute
software, I don’t
need to worry about
licensing."
"All open source
licenses require the
release of source code
for everything."
"No one will
ever know."

EVOLUTION OF SOFTWARE DELIVERY AND OPEN
SOURCE LICENSES
“The GNU Affero General Public License . . . requires the operator of a network server to provide the source
code of the modified version running there to the users of that server. Therefore, public use of a modified
version, on a publicly accessible server, gives the public access to the source code of the modified version.”
- Preamble to AGPL 3.0 license
GPL V2
CDs
ASP / SaaS
Loophole
AGPLv1
GPLv3
AGPLv3
1990 2000 2010

THE GNU GPL FAMILY OF LICENSES
1991 GPL v2 Private use is un-restricted
If you distribute object code, you must make source code available
LGPL v2 “Work that uses library” versus “Work based on library”
2002 AGPL v1 Closes the network access loophole
2007 GPL v3 System library exception
Internationalization - country-neutral terminology
License compatibility (Apache, Affero)
2007 LGPL v3 An additional permission for GPL v3 licensed code.
2007 AGPL v3 Includes all GPLv3 terms and adds “Network Use” clause
• Network Use Clause: Source code sharing obligation also
extends to “all users who access through a computer network”

MORE ABOUT INTERNATIONALIZATION
Rights are tied to laws in specific countries; you do not have “copyright” but
UK copyright, US copyright, French copyright, German copyright, etc.
Point of interest:
English tradition views copyright as an industrial right
Continental tradition views copyright as the right of the artist
GPL v2 is tightly tied to US copyright law
• Legislative history and case law define “Distribution,” “public
distribution,” “limited distribution”
• Distribution means one thing in US and another in Europe
• Even the term “public” has a long legal history in US
It is impossible to say anything about “distribution” of copyrighted works
that is globally accurate.

THE GNU GPLV3
GPL v3 changes language to use contract terms
• Convey
• To “convey” a work means any kind of propagation that enables other parties
to make or receive copies. Mere interaction with a user through a computer
network, with no transfer of a copy, is not conveying
• Propagate
• To “propagate” a work means to do anything with it that, without permission,
would make you directly or secondarily liable for infringement under
applicable copyright law, except executing it on a computer or modifying a
private copy. Propagation includes copying, distribution (with or without
modification), making available to the public, and in some countries other
activities as well.
BUT, intentionally does not close SaaS loophole

THE AGPL V3
Includes all GPLv3 terms and “Network Use” clause
Network Use Clause: Source code sharing obligation also extends to “all
users who access through a computer network”
The network use clause is set forth below:
“Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users interacting
with it remotely through a computer network (if your version supports such
interaction) an opportunity to receive the Corresponding Source of your
version by providing access to the Corresponding Source from a network
server at no charge, through some standard or customary means of
facilitating copying of software. This Corresponding Source shall include
the Corresponding Source for any work covered by version 3 of the GNU
General Public License that is incorporated pursuant to the following
paragraph.”

GPLV3 INTERACTION WITH AFFERO GENERAL PUBLIC
LICENSE
GPLV3 does not incorporate the Affero General Public License
requirements into GPLV3
But it does build a bridge…
Section 13. of GPLV3 Use with the GNU Affero General Public
License:
• Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a
single combined work, and to convey the resulting work. The terms of
this License will continue to apply to the part which is the covered
work, but the special requirements of the GNU Affero General
Public License, section 13, concerning interaction through a
network will apply to the combination as such.

NUMBER OF PROJECTS WITH AGPL-LIKE
LICENSES
Over 1000 projects use AGPLv3
Source: Black Duck KnowledgeBase
(Did not include Apple Public Source License in analysis)

INDIVIDUAL SAAS LICENSE MARKET SHARE
AS A PERCENTAGE OF TOTAL SAAS LICENSE MARKET
Rank License %
1 GNU Affero General Public License v3.0 53.93%
2 Open Software License 2.0 21.07%
3 Affero General Public License v 1.0 7.61%
5 Common Public Attribution License 1.0 5.72%
6 Academic Free License v3.0 1.95%
9 Non-Profit Open Software License 3.0 0.22%
10 Honest Public License 0.06%
11 Rumba Exception to Gnu Affero General Public License V3.0 0.03%
12 Zarafa Affero 3 License 0.03%

AGPL-LIKE LICENSES DISCOVERED IN
AUDITS
Source: Black Duck Audit Data

APPLE PUBLIC SOURCE LICENSE
Unique license from Apple
1.4 "Externally Deploy" means: (a) to sublicense, distribute or otherwise
make Covered Code available, directly or indirectly, to anyone other than
You; and/or (b) to use Covered Code, alone or as part of a Larger Work, in
any way to provide a service, including but not limited to delivery of
content, through electronic communication with a client other than You.
If You Externally Deploy Your Modifications, You must make Source Code
of all Your Externally Deployed Modifications either available to those to
whom You have Externally Deployed Your Modifications, or publicly
available. Source Code of Your Externally Deployed Modifications must be
released under the terms set forth in this License, including the license
grants set forth in Section 3 below, for as long as you Externally Deploy the
Covered Code or twelve (12) months from the date of initial External
Deployment, whichever is longer. You should preferably distribute the
Source Code of Your Externally Deployed Modifications electronically (e.g.
download from a web site).

COMMON PUBLIC ATTRIBUTION LICENSE
Drafted for Socialtext prior to AGPLv3, Mozilla Public License with
“External Deployment” provisions
15. ADDITIONAL TERM: NETWORK USE. The term “External
Deployment” means the use, distribution, or communication of the
Original Code or Modifications in any way such that the Original
Code or Modifications may be used by anyone other than You,
whether those works are distributed or communicated to those
persons or made available as an application intended for use over a
network. As an express condition for the grants of license
hereunder, You must treat any External Deployment by You of the
Original Code or Modifications as a distribution under section 3.1
and make Source Code available under Section 3.2.

OPEN SOFTWARE LICENSE/ACADEMIC FREE LICENSE
Unique licenses which use “External Deployment” concept to extend
requirements to provide source code to network use as well as
distribution:
5) External Deployment. The term "External Deployment" means
the use, distribution, or communication of the Original Work or
Derivative Works in any way such that the Original Work or
Derivative Works may be used by anyone other than You, whether
those works are distributed or communicated to those persons
or made available as an application intended for use over a
network. As an express condition for the grants of license
hereunder, You must treat any External Deployment by You of the
Original Work or a Derivative Work as a distribution under section
1(c).

HONEST PUBLIC LICENSE
This license is a modified version of the GNU General Public
License copyright (C) 1989, 1991 Free Software Foundation, Inc.
and has been made with their permission, but has not been
endorsed by the Free Software Foundation. Section 2(d) has been
added to cover use of software over a computer network.
b) You must cause any work that you distribute, communicate to
the public or publish, that in whole or in part contains or is derived
from the Program or any part thereof, to be licensed as a whole at
no charge to all third parties under the terms of this License.

PARTICULAR CHALLENGES COME WITH LICENSE
COMBINATIONS
Applications are made up of many parts, with, often, many licenses
• AGPL
• Apache
• BSD
• Commercial
Many SaaS applications have downloadable
plug-ins with additional licenses, such as
• GPL- JavaScript
It’s important to evaluate compatibility
• Licenses may include provisions which may be incompatible with the
obligations of other licenses
• Even when license obligations can be incompatible, the issue is whether the
obligations are triggered
• Be aware of file-level licenses as well; not all files in a project have the same
license

NOW ADD IN DOCKER…
Download
Browser App
Download
Mobile App
Download
Desktop App

DOES DOCKER CHANGE THINGS?
• Docker is increasing the use of containers
• We seem to be on the verge of another delivery paradigm shift
• Are there any special considerations for OSS licenses when used in
software distributed in containers?
• What kind of a distribution, or conveyance, is a Docker container?
• Does it depend on where it’s deployed?
• You created it and you deploy it to your private cloud
• You created it and you make it available for download in Docker Hub
• What legal obligations do you have?
• How do you manage those obligations?
• How does the down-stream consumer of the container know what obligations
she incurs when deploying your container
• for in-house use
• For use in an externally facing SaaS application
• For use by another downstream application
• Does the fact that the container is fully encapsulated change anything?
• How will you determine what the combination of licenses and
obligations are for the contents of a Docker image that you download?
• Will new license terms emerge in response to Docker containers?

TECHNICAL DECISIONS HAVE LEGAL
IMPLICATIONS
Choosing a
FOSS project
requires both
legal and
technical
evaluation Compliance is
mission critical
Must
understand the
legal obligations
as well as the
code, and the
community
Security matters
too, especially
with Service
solutions

Knowing what
open source
you use.
Knowing where
your open
source is used.
Knowing how
your open
source is
deployed.
Using open
source code in
a compliant
way.
Knowing what
your legal
obligations are.
Working with
community to
maintain the
open source
you use.
Understanding
the security of
your open
source.
Participating
effectively in
the open source
ecosystem.
OSS LOGISTICS IS ABOUT…

TO DO THE RIGHT THING, YOU NEED TO KNOW
Strategy
• The business objectives for your
application
License(s) & Obligations
• The set of obligations associated
with your use of open source
Technology
• Automation to provide visibility,
control and assist with compliance
Tens of thousands of developers leverage the GPL every day, and do it
in compliance with its obligations; the community will do the same for
AGPL

THANK YOU
QUESTIONS?
KNEWCOMER@BLACKDUCKSOFTWARE.COM

LinuxCon Europe 2014: License Compliance and Open Source Software Logistics for Cloud-Based Applications

More Related Content

What's hot (20)

Viewers also liked (10)

Similar to LinuxCon Europe 2014: License Compliance and Open Source Software Logistics for Cloud-Based Applications (20)

More from Black Duck by Synopsys (20)

Recently uploaded (20)

LinuxCon Europe 2014: License Compliance and Open Source Software Logistics for Cloud-Based Applications