Legal and practical concerns with open source software

#ESCBOS #ESCBOS

#ESCBOS

Open Source Software (OSS)• Richard A. Leach –

Intellectual Property Attorney Brooks Kushman, P.C.

• Rod Cope – Chief Technology OfficerRogue Wave Software, Inc.

#ESCBOS

Disclaimer

• This presentation shall not be taken as legal advice and is only for educational purpose.

#ESCBOS

Agenda• OSS: Why should I care? • Copyright Law overview• Copyleft Introduction• OSS Licenses and terms• Avoiding Liability• OSS Strategy – Where to start

• Case Law– Jacobsen v. Katzer– Oracle v. Google– XimpleWare v. Versata et al– Welte v. Fantec GmbH (6/14/13

– Germany)

#ESCBOS

Open Source Software• ~$60B/year savings*• > 4 Billion Files

• >7,500 repositories• > 2,000 Licenses

https://www.blackducksoftware.com/* http://www.freesoftwaremagazine.com/articles/creating_wealth_free_software

#ESCBOS

OSS Compliance: Should I care?• Diversion of Time,

Talent, Resources

• Impact to Customers & Reputation

• Potential waiver of IP rights

• Potential Damages

#ESCBOS

Copyright: What is it?• Protection of Artistic Expressions, not

ideas or functionality

•Music•Movies• Artwork• Literature• Software

#ESCBOS

Rights of a Copyright Owner• Exclusive rights• Distribute – Sell• Reproduce – Copy• Adapt – Create derivative work• Perform• Display• Transmit

• Neither Registration nor notice required to create protection

#ESCBOS

Copyright Introduction

License

$$$

Copyright

Owner User

• Owner chooses to enter into a contract with User• Owner grants rights to Sell, Copy, Adapt, . . .

• User provides some consideration ($$$)• User agrees to abide by the license terms

• Other people not allowed to Sell, Copy, Adapt, . . .

#ESCBOS

Introduction to ‘Copyleft’

License

$$$

Copyright Copyleft

License

$0.0

#ESCBOS

Concept of Copyleft• “To understand the concept, you should think of ‘free’ as in

‘free speech,’ not as in ‘free beer’.” – RMS (Author of GPL)

• To keep open source software “free,” terms and conditions apply requiring licensed users to preserve that “freedom” for downstream users.

#ESCBOS

Copyleft – The Cost of Freedom • Copyleft: a copyright licensing scheme for making a program (or

other work) free, and requiring all modified and extended versions of the program to be free as well

http://www.gnu.org/copyleft/copyleft.en.html

#ESCBOS

Common Open Source Licenses

https://www.blackducksoftware.com/resources/data/top-20-open-source-licenses

What’s the difference?

> 75% of software uses 5 Licenses

#ESCBOS

MIT LicenseThe MIT License (MIT)

Copyright (c) [year] [fullname]

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

http://opensource.org/licenses/MIT

#ESCBOS

GPLv3 License select sections1. "The ‘Corresponding Source’ for a work in object code form means all the source code needed to

generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. . . . ”

6. Conveying Non-Source Forms: You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License

10. Automatic Licensing of Downstream Recipients: "...and you may not initiate litigation (including a cross-claim or

counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it."

11. Patents: . . . Each contributor grants you a non-exclusive, worldwide, royalty-free patent license . . .

http://www.gnu.org/licenses/gpl.txt

#ESCBOS

A History of License Options19911988 2001 2004 2007 2012

BSD & MITLicenses

GPLv2 Apache 2.0 GPLv3 MPL 2.0CPL

· Implied License &/or Estoppel

· Implied License &/or Estoppel · Patent Disincentive Clause

· Express Patent License· Broad Patent Retaliation Clause

· Express Patent License· Patent RetaliationClause

· Broad Express Patent License· Anti-Tivoization clause· Patent Non-Assert· Patent Disincentive Clause

· Express Patent License· Patent RetaliationClause

#ESCBOS

Thoughts on Derivative Works? Proprietary

SoftwareMIT

License

Static OR Dynamic Linking

• Provide Copyright Notice• Provide License

Proprietary Software

LGPL v2.1

Dynamic Linking

LibraryExecutable

Proprietary Software

LGPL v2.1

Static Linking

Executable

Proprietary Software GPL v3

Static OR Dynamic Linking

• Provide Copyright Notice• Provide License• Provide Open Source code• Provide modifications &

change log• Provide Disclaimer of

warranty in the OSS• Provide Library Source

Code



warranty in the OSS• Provide proprietary Object

Code and/or Source Code so that a modified Library can generate an executable



warranty for all GPL code• Provide proprietary Object

Code and/or Source Code• Provide License to all IP in

the proprietary code that uses or is linked to GPL

Related to linking or something else?

#ESCBOS

GPL/GPL License Compatibility

http://www.gnu.org/licenses/gpl-faq.html#v2v3Compatibility

#ESCBOS

Infringement – Consequences• § 504 – Damages (Actual or Statutory)• Actual damages to Owner and profits of the Infringer• Statutory (Timely Registration required) $750 - $30,000 per

infringement, If willful up to $150,000!• § 505 – Costs and Attorney Fees• Usually linked with Willfullness (Pre-Registration required)

• § 502 – Injunction, § 503 – Impounding, and § 506 – Criminal Prosecution

#ESCBOS

Step 1: Have a license policy• You must decide which licenses are acceptable for your

company (and potentially your customers).• The policy depends on how you plan to use the software.

• GENIVI has the following policy• Red – GPLv3; LGPLv2/3; BSD 4; MPL1.1; Flora• Yellow – GPLv2; LGPL2.1; AFL 3; OSL 3; OpenSSL; Public domain• Green – MPL 2.0; BSD 2/3; MIT/X11; Apache 1.1/2; Artistic 2/1

http://docs.projects.genivi.org/License/Public_Policy_for_GENIVI_Licensing_and_Copyright_v_1.0.pdf

NO

OK

???

#ESCBOS

Step 2: Educate your Developers•Which software/licenses are acceptable and not

•Which software licenses need to be discussed

• How and who to contact with questions – Point Person

• Disclosure of software use to Point Person

#ESCBOS

Step 3: ComplianceApple - iPhone

Mercedes-Benz

#ESCBOS

Example Supply ChainComponent Manufacturer

Development Board –Drivers Sub-Assembly – Libraries

Product Manufacturer

OSS contribution Retailer

#ESCBOS

Who can help ?

#ESCBOS

OpenLogic Audit Scan tool

#ESCBOS

Results of an audit scan toolGPL v3.0 what do we do now ?

#ESCBOS 27

Dependency Issues Impact Licensing•OSS often depends on or bundles other OSS•Need to look at all the dependencies and bundled

projects and their licenses• Important: The licenses may not be the same!

•Example:• Geronimo (Apache license) uses MySQL (GPL) through the

MySQL driver (formerly LGPL but now GPL)

#ESCBOS 28

Multiple Packages, Multiple Licenses• When a developer downloads and installs those projects they also get additional open source components

that are installed automatically (over 90 additional!!)

AspectJ (19) - Ant (1.6.3) - Apache Avalon (4.1.2) - ASM (2.0) - ASM (2.2.1) - Batik (unknown) - BCEL (5.1) - Commons BeanUtils (unknown) - Commons Digester (unknown) - Commons Logging (unknown) - DocBook XML (4.1.2) - DocBook XSL Stylesheets (1.44) - FOP (0.20.5) - JDiff (unknown) - JUnit (3.8.1) - Jython (2.1) - Regexp (1.2) - Saxon (unknown) - Xalan (2.4.1) - JDK (1.4.2_12)

Spring Framework (61) - ActiveMQ (1.1) - Ant (1.6.5) - ANTLR (2.7.5H3) - AOP Alliance (1.0) - Apache (OJB) (1.0.4) - Apache xml-apis (1.2.01) - c3p0 (0.9.0.4) - cglib (2.1.3) - com.oreilly.servlet (1.0) - Commons Attributes (2.1) - Commons BeanUtils (1.6) - Commons Codec (1.3) - Commons Collections (3.1) - Commons DBCP (1.2.1) - Commons Digester (1.6) - Commons Discovery (0.2) - Commons Fileupload (1.0) - Commons HttpClient (3.0) - Commons Lang (2.1) - Commons Logging (1.0.4) - Commons Pool (1.2)

Ant (7 bundled) - Apache xml-apis (1.5) - Xerces (2.6.2) - BCEL (5.1) - BeanShell (1.3.0) - BSF (2.3.0) - JUnit (3.8.1) - JDK (1.4.2_12)

MySQL Connector (9)

- Ant-Contrib (1.0-b2) - AspectJ (1.2) - c3p0 (0.9.1-pre6) - Commons Logging (1.0.4) - JBoss Application Server (3.2.7) - JDBC (2_0) - JTA (1.0.1) - JUnit (3.8.1) - Log4j (1.2.9)

- Commons Validator (1.1.4) - dom4j (1.6) - EasyMock (1.1) - Ehcache (1.1) - Enterprise Java Beans (2.0) - Free Marker (2.3.4) - Hessian (3.0.1) - Hibernate (2.1.7) - Hibernate (3.0.5) - HSQLDB (1.8.0) - iBATIS (2.1.7) - iText (1.3) - J2EE Connector Arch (1.0) - Jakarta JSTL (1.0.3) - Jamon (1.0) - Jasper Reports (1.0.3) - Java Servlet API (2.4) - JavaBeans (JAF) (1.0.1) - JavaMail (1.3) - JavaServer Faces (1.1)

- JAX-RPC (1.1) - Jaxen (1.1-beta4) - JDBC (2_0) - JDO (2.0) - JMX (1.0) - JOTM (2.0.9) - JTA (1.0.1B) - JUnit (3.8.1) - jxl (2.6) - Log4j (1.2.13) - ORO (2.0.8) - POI (2.5.1) - Quartz (1.5.2) - Rowset (1.0.1) - Struts (1.2.8) - Tag Libs (1.0.6) - TOPLink (1.0) - Velocity (1.4) - Velocity Tools (1.1) - XDoclet (1.1)

#ESCBOS

Bundling OSS into other code

Project Foo:GPL v2

Project Time:BSD

Project Commercial:Restrictive EULA

Project Foo:GPL v2

Project Time:BSD

What if I take a file that is under one license and I distribute it under a different license–do I have to comply with the original license?

#ESCBOS

Use of OSS under GPL

Revisions made to FOSSLinked to or bundled with

proprietary code Use by whollyowned sub

Sub is sold to a 3rd party

Internal Use

Use by anoutsourcer or

contractor

Software shared with “partner” during further development

Software distributed to

end users

Using OSS Distributing OSS

Changes in how FOSS is used can impact license compliance

Example: How OSS is used may change...

#ESCBOS

Jacobsen v. Katzer: Opens the door•Model train software under Artistic License• Distribution without notice (non-compliance)• Question: contract or copyright• Contract – State Court and no consideration (OSS is free)• Copyright – Federal Court, • OSS license obligations are conditions precedent to the license.• Failure to comply with obligations extinguishes license.

• Case settled.

#ESCBOS

Google v. Oracle: Make or Buy?

#ESCBOS

Google v. Oracle: Make or Buy?

Which should I choose ?

#ESCBOS

Google v. Oracle: 9 lines is enough“the jury reasonably found that Google’s copying of the rangeCheck files was more than de minimis;” - CAFC

#ESCBOS

APIs/taxonomy are copyrightable

• “the declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection” – CAFC (Google v. Oracle)

#ESCBOS

Versata, Ameriprise, Ximpleware• “the GPL is a ‘viral’ license in the sense the incorporation of a GPL-covered

software program into a new program ‘infects’ the new program and requires it to become open source , too” – District Court W.D. Texas

• Take away: Compliance is important even for customers (Ameriprise)

#ESCBOS

Welte v. Fantec – Germany• GPLv2.0 software used in a media player• Fantec : Fantec’s supplier assured them compliance with GPL terms.• Result: Welte was awarded Attorney’s fees and damages.• German Court stated:

• “Here, Defendant was not allowed to rely merely on its suppliers’ assurances that the works supplied did not infringe any third-party rights.

• In any case, Defendant should have performed its own review of the software, or have someone preform, by hiring knowledgable third parties, such a review of the software offered and provided by Defendant – even if this would have resulted in additional costs.”

#ESCBOS

Roadmap to Compliance• 1st appreciate Open Source Software’s benefits• 2nd develop an Open Source Software Strategy• 3rd know your code: Education, Point Person• 4th know the licenses associated with your code• 5th comply or use different software

#ESCBOS

Thank you • Richard A. Leach –

Intellectual Property Counsel Brooks Kushman, P.C.

• Rod Cope – Chief Technology OfficerRogue Wave Software, Inc.