Leveraging Open Source in

Cloud-based Applications

31 August 2012

LinuxCon North America / CloudOpen

Kamyar Emami COO Protecode Inc. emami@protecode.com

Agenda

Open Source Software – It’s Everywhere!

– Reality of Software Development Today -> Software BoM Complexity

– Software IP & Code Portfolio Tracking Challenges

Open Source Software License Spectrum

– Permissive vs Copyleft Licenses

– Distribution-based vs Cloud-based Applications

Managing License Obligations

– Approaches to License Management

– Open Source Software Adoption Process (OSSAP) – Best Practices

Q & A

2

Open Source Software – It’s Everywhere!

99% of Global 2000 companies will incorporate open source into their operations by

2016*.

50% of organizations surveyed have adopted open-source software (OSS) solutions

as part of their IT strategy*.

33% of responding organizations have a formal OSS policy in place*.

79% of IT developers use open source in their development projects**.

30% of respondents cited benefits of increased innovation as reason for adopting

OSS solutions*.

"Gaining a competitive advantage has emerged as a significant reason for adopting

an OSS solution”*.

“Programming has become more of a combination of piecing together existing

components and adding your special sauce than it is an endeavor started from

scratch”***.

*Gartner’s survey of 547 IT leaders in 11 countries, 2011

**Forrester Research (Jeff Hammond, LinuxCon, Aug. 10, 2010)

***TMCnet (Rich Tehrani, 2012) 3

Cloud + Open Source = Business Agility

80% of new commercial enterprise apps will be deployed on cloud

platforms in 2012*.

50% cited business agility as their primary reason for adopting cloud

applications**.

65% said that responding faster to the business is an important

driver for cloud computing***.

25%+ is the growth rate of public cloud infrastructure, applications

and platforms****.

*IDC, 2011

**Survey of 500 IT decision-makers by SandHill, 2010

***InformationWeek, 2010

****Gartner, 2011

4

Profusion of Open Source

5

6

Good Developers Don’t Write Code from Scratch

They Get Code!

Software IP and Code Portfolio Challenge

Load Build

DO WE KNOW WHAT’S IN OUR

SOFTWARE?!

End Product

Organization

Own Commercial

Open

Source

Firm’s

Code base

Outsourcing

Contracting

Crowd Sourcing

7

Contamination in software projects is common –

sometimes unintentional

OSS Compliance – Problem? What Problem?

We do not have a problem

We understand the issues & are considering

options

We are looking for tools to manage the problem

We have a serious problem and need a

solution now

Protecode Survey of 70 companies in NA and Europe, 2011

8

Why is Software IP important?

Intellectual Property Management impacts enterprise value

– Software is a significant source of effort and investment • Exposure to third party rights

• Protecting own rights

Impact on commercial transactions

– Representations and warranties, IP indemnity clauses

– Real or perceived IP risks lower M&A value

A company’s financial health could depend on it

– Litigations, lawsuits, penalties, out of court settlements • Oracle vs Google

• Microsoft vs Alcatel-Lucent (mp3)

• Welte vs Dlink, vs Fortinet

• Cisco vs Linksys

• Cisco vs GPL in iPhone

• FSF (Free Software Foundation) vs Open-TV

• SCO vs IBM (proprietary software found in open source)

• SFLC vs Monsoon Multimedia (Busybox product) vs Verison vs Xtrasys

• Veritas vs Microsoft

9

10

Veritas vs Microsoft

In Veritas Operating Corporation v. Microsoft Corporation, the Court was asked to consider a motion by

Microsoft for a dismissal of claims brought by Veritas alleging, among other things, that Microsoft had

misappropriated certain trade secrets of Veritas and infringed Veritas’ copyright when it developed and

incorporated Logical Volume Manager (LVM) into its operating system products. In considering the

motion, the Court observed that only 54 lines of code, or 0.03% of a code base of almost 160,000 lines,

had been identified by Veritas as having been infringed. In addition, with the exception of two lines, the

section of code in question was not copied verbatim. Instead, Microsoft changed the code by upgrading

the programming language from C to C++.

In denying one of Microsoft’s arguments for dismissal of the copyright infringement claim, that the amount

of code copied was de minimis, the Court noted that even where a relatively small quantity of code is

copied, a finding of substantial similarity can still be made if the copied code is sufficiently important to

the operation of the new program or gives the new program distinctive features or makes it more

desirable.

Veritas versus Microsoft,

United States district court

Western district of Washington at Seattle

Case NO. C06-0703-JCC (2008)

Software License Spectrum

Copyleft Licenses Permissive Licenses Proprietary Licenses

MIT EPL GPL Commercial

BSD LGPL AGPL

Apache

Weak Strong

Less “Freedom”

11

Permissive and Copyleft Licenses

“Permissive”-licensed OSS comes with permission to modify and

redistribute without necessarily making the source code available to others

on the same terms

– E.g. BSD License

“Copyleft”-licensed OSS generally requires modified version to be provided

under the same license (subject to specific license requirements).

– In some cases merely linking GPL code with other code may require that the

combination to be licensed under GPL. • E.g. GPL 2.1,

12

Facts About Using OSS

The manner in which OSS is used has significant implications

– Modified or Unmodified

– Commercial or non-Commercial

– Internal use or External release

– Linked or Incorporated

– Hosted Service or Distributed

Combining OSS with other OSS or Proprietary code

– When combining OSS licenses, need to ensure license compatibility

– When combining OSS with proprietary code, several factors would

determine whether the code can remain proprietary

• This sub-branch is one of the most complex areas of OSS practice!

13

vs

GPLv3 states that: “…you have certain

responsibilities if you distribute copies of the

software…you must make sure that they, too,

receive or can get the source code.”

AGPLv3 states that: “…your modified version

must prominently offer all users interacting with

it remotely through a computer network … an

opportunity to receive the corresponding source

of your version…”

Distribution vs Cloud-Based

14

GPL Licenses Compatibility – Take Note!

http://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses

15

Approaches to License Management

License Management is most effective when applied early in Software Development Life Cycle

16

OSS Adoption Maturity Model

Voluntary policy compliance with Legal Advice

Manual search and code review

In-house Tools

Automated Scanning with Reference Database

Integrated suite of tools within SDLC

17

Small projects could be managed manually – Time consuming, prone to error

Automated Solutions – Bring focus to policies and enforcement – Help create a software inventory (or BoM) – Speed up the discovery stage – Generate various reports

Software Analysis Options

18

Manual Automated*

Preventive

Corrective

Internal or External Software

Audit

Education, Policies, Trust (!)

Open Source Commercial

Commercial

* Always requires some manual verification/confirmation

Open Source Software Adoption Process (OSSAP) Best Practices Survey

Protecode Survey of 70 companies in NA and Europe, 2011

8-Step OSS Management and Adoption Process

– Establish a licensing policy

– Deploy a pre-approval process

– Assess existing portfolio

– Screen incoming 3rd party code

– Schedule regular code scans

– Monitor check-in into s/w library

– Monitor real-time development

– Perform assessment prior to shipping

19

Conclusion

Third party content, including open source, is everywhere

– An open source and third-party code policy needs to be adopted and enforced

Management of licenses and other attributes of 3rd party code should be

viewed as an extension of a quality process

– All external code that is used need to be identified and tracked

License management can be applied at different stages

– before product shipment,

– at developer’s desktop, or

– anywhere in between

Managing 3rd party software licenses involves a process

Automated solutions accelerate the discovery stage, simplify record keeping

and reporting

– Regular analysis can significantly reduce on-going effort

20

21