Spdx - fossbazaar - licensing - fossa2010

The State of Open Source Licensingand Ways to Improve It

Martin MichlmayrHewlett-Packardtbm@hp.com

Martin Michlmayr The State of Open Source Licensing and Ways to Improve It

Agenda

Why licensing mattersOpen source licensing

Contributor agreementsCopyright assignment

Tools for the detection of licenses: FOSSologyStandard for exchange of license information: SoftwarePackage Data Exchange (SPDX)

Not covered: licenses; legal advice

Target audience

Companies using open source, especially those that alsodistribute it

Must understand the importance of honouring licensesIdentify licenses and follow themWork with projects to ensure their intentions are followed

Open source projects

Ensure that licensing is done rightWork with companies that use and distribute their software

Researchers

Can shed light on best practicesCan help improve state of licensing

Why is licensing an important topic?

Increasing adoption and penetration of open sourceCompanies are getting sued, leading to more awareness:

SCO: question of code ownershipBusyBox, gpl-violations.org: complying with FOSS licenses

Problems with FOSS licensing

Misunderstanding of FOSS licenses: you have obligationsFOSS licenses and licensing can be complex andcomplicatedKeeping track of what FOSS is being usedKeeping track of FOSS licenses used by an applicationand how they interact

Your obligations: copyleft

GPL: requires source code to be offered to those whoreceive binariesAGPL: additionally requires that the complete source codebe made available to any network user

Your obligations: permissive

MIT: The above copyright notice and thispermission notice shall be included in allcopies or substantial portions of theSoftware.

BSD (3 clause): Redistributions in binary formmust reproduce the above copyright notice,this list of conditions and the followingdisclaimer in the documentation and/orother materials provided with thedistribution.

Who gets sued?

Whoever distributes the software without complianceNo excuses: ‘software from ODM in Taiwan’Indemnification may helpBut reputation is destroyed quickly

Contributor Agreements

Make legal questions around contributions explicitOften requires copyright assignment or grants

Fedora Project Contributor Agreement (FPCA)

Defines default licenses that are used unless explicitlicense is givenCurrent defaults:

Code: MITContent: Creative Commons Attribution ShareAlike 3.0Unported

Does not assign copyright to Fedora or Red Hat

Debian

Every Debian developer has to agree to the DFSG andSocial ContractDFSG: Debian Free Software GuidelinesSocial Contract: Debian will remain 100% free (accordingto DFSG)debian/copyright: describes upstreamcopyright/license and that of packaging

Linux kernel

Developer’s Certificate of Origin

The contribution was created by me and I the have right tosubmit under indicated open source licenseThe contribution is based on previous work that is alsounder indicated licenseThe contribution was provided directly to me by someonewho certified it and I didn’t modify itI understand that the contribution and project are publicand recorded

Signed-off-by: Martin Michlmayr <tbm@cyrius.com>

Copyright assignments

Preserves the ability to relicense codeEnsures sufficient rights to enforce licences in courtAvoids and prevents later competing copyright claims

Why not?

Gives copyright holder a lot of powerMakes it harder to contribute

Tools for compliance work

Binary Analysis ToolFOSSologyOpen Source License CheckerProprietary tools from Black Duck, Palamida, etc

FOSSology

FOSSology is a framework to study the source code ofFOSS applications in a number of waysMain functionality: detection of licenses in open sourceapplicationsOriginally developed by HP, it is an open project with anopen source license

FOSSology

You load code into the repositoryYou analyse it and put the results into a databaseYou view the results

FOSSology demo

FOSSology: the new release

BucketsNew license algorithmCopyright agent

FOSSology demo

Scope of the problem

Prior to distributing a collection of software, each packageneeds to be reviewed to ensure compliance with all thelicenses.Supply chain for products now requires software copyrightand licensing information for lawsuit avoidance and riskmitigation.A package’s declared license may not always match thelicenses of individual files inside the package itself.A package may consist of thousands of files with differentlicenses in the filesNeed a standard way of referring to the legal compliance‘bill-of-materials’ of a software package and be ableexchange information with others.

Solution: SPDX

Define a file format for license information to accompanyopen source packages

Focus: Just the facts – no interpretations

Benefits

Provides a unified method for exchanging licenseinformationAvoids due diligence redundancy where the same sourcecode package is analyzed multiple times by differentreceivers

Structure of standard

Identification: meta data to associate analysis results witha specific packageOverview: Facts that are properties for entire package (e.g.package name, declared license)File Specific: Facts that are specific to each file included ina package (e.g. filename, copyright)

Resources

OrganizationsFSF Free Software Licensing and Compliance LabFSFE Freedom Task Force (FTF)gpl-violations.orgOpen Source Initiative (OSI)Software Freedom Law Center

CommunitiesFOSSBazaarFSFE Legal Network

News and journalsGroklawInternational Free and Open Source Software Law Review

ConferencesFSFE ELN (European Legal Network)EOLE - European Open Source Law Event

Software

Spdx - fossbazaar - licensing - fossa2010

Technology

Geobi Project - fossa2010

Licensing Policy Manual - Ofcom | Ofcom Licensing

Bug tracking - fossa2010

Fossa2010 floss services_poznan

SPDX: The Lingua Franca of Open Source Governance · SPDX: The Lingua Franca of Open Source Governance Gary O’Neall, Source Auditor Tim Mackey Black Duck by Synopsys @TimInTech

A Smart Way to Manage OSS Compliance with Yocto+SPDX · SPDX v2.0 •Specification 2.0 released SPDX v2.1 Specification 2.1 • Package Information • Files Analyzed • External

2014 10-14: GitHub plus FOSS == 1 million SPDX

Oss for undergraduate - fossa2010

Large organisation airbus and open source - fossa2010

SPDX and the Yocto Project - events.static.linuxfound.org · SPDX and the Yocto Project ... run_shell.c# MIT# GPL2.0 GPLE2.0+ BSDE3EClause# ... Be sure to set apache/postgres/php

Maven 3.0 by jason - fossa2010

Software Package Data Exchange (SPDX Specification › wp-content › uploads › sites › 41 › 2017 › 12 › spdx-1.1.pdfSoftware Package Data Exchange (SPDX®) Specification

Floss services in poznan - fossa2010

Open source agile - fossa2010

A Smart Way to Manage OSS Compliance with … Upload unpack Scan Download Only support SPDX v1.1 • Even SPDX v1.1， Yocto+SPDX doesn’t support well. 14 Our contributions to Yocto+SPDX

Open government- fossa2010

FTA towards-master-programme-free-software - fossa2010

Licensing - Cisco...Licensing CiscoUnifiedCommunicationsManagerLicensingismanagedbytheEnterpriseLicenseManager.Licenses …

SPDX Generation via Yocto and the LiD Scanner - Schedschd.ws/hosted_files/osleadershipsummit2017/cf/YoctoLiD_OSLS_201… · SPDX Generation via Yocto and the LiD Scanner ... License

SPDX: The Lingua Franca of Open Source Governance - Linux … · 2019. 12. 21. · Image by Hossam M. Omar under Pexel’slicense. So what’s this SPDX thing? What’s in your software?