Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues

Managing Android and the
Complexity Inside:
Understanding the Open Source License
and Compliance Issues

Peter Vescuso
Black Duck Software

Agenda
 OSS in Mobile Trends
 Application Developers
– Basics of OSS licenses
– License considerations
– Resources

 Device Manufacturers
– Issues/Complexity/Supply chain
– What’ Inside Gingerbread
– Best Practices

 Summary

Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 2

Open Source Drives Mobile Innovation
New Mobile OSS Projects
4000

 Over 3,800 new OSS
3000
projects in 2010,
2000 doubling each of the last
3 years
1000

0
2005 2006 2007 2008 2009 2010  94% of new projects
that specify a platform
New 2010 FOSS Projects by are targeting Android
Platform and Apple/iOS

Windows
Apple iOS
2%
 Open source has
redefined the mobile
39% Blackberry
2%
Palm/Web OS
1%
industry and is spreading
Android
Symbian
1% far beyond
55% Meego/Maemo
0%

Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.

Android is a Huge Market Opportunity
50
45
 Gartner: Android to become
40 #2 Worldwide Mobile
35 Symbian Operating System in 2010,
30 Android #1 Position by 2014
25 RIM
20 Apple iOS
15 Windows
10 Other  Android is powering more
5 than smartphones….
0
2009
1 2010
2 2011
3 2014
4

Forecast: Mobile Communications Device Open OS Sales to End Users by OS (Market Share)
OS 2009 2010 2011 2014
Symbian 46.9 40.1 34.2 30.2
Android 3.9 17.7 22.2 29.6
RIM 19.9 17.5 15 11.7
Apple iOS 14.4 15.4 17.1 14.9
Windows 8.7 4.7 5.2 3.9
Other 6.1 4.7 6.3 9.6
Total 100 100 100 100

Source: Gartner (August 2010)

Android Devices: Phones, Tablets, eReaders,
Autos, more…..

Barnes & Noble Nook Lenovo LePad
Automobile: Android powered SaaB

Droid by Motorola Samsung Galaxy Dell Streak

HP Touchpad

HTC Evo Shift
Motorola Xoom


Android Compliance is a Growing Concern

“The vast majority of Android tablets
I've been able to find are shipping
without any source being made
available, and that includes devices
from well-known vendors. “ Matthew
Garrett, Red Hat, Linux Kernel
Developer

Source: //www.codon.org.uk/~mjg59/android_tablets/


Agenda
– Resources

– Best Practices

 Summary


Types of Open Source Licenses:
Reciprocal vs. Permissive

 Reciprocal (aka Copyleft).
– Requires licensee to make improvements or Most Popular Mobile OSS Licenses
enhancements available under similar terms. 1 GPL
– Example is the GPL: Licensee must distribute 2 LGPL
“work based on the program” and cause such 3 MIT
works to be licensed at no charge under the 4 Apache
terms of the GPL. 5 BSD
6 Microsoft
7 Artistic
8 Eclipse
9 Common Public lIcense
 Permissive. 10 Mozilla
– Modifications/enhancements may remain
proprietary.
– Distribution in source code or object code
permitted provided copyright notice & liability
disclaimer are included and contributors’
names are not used to endorse products.
– Examples: BSD, Apache Software License.


The OSS License Continuum

MIT

GPL LGPL MPL Apache

BSD

Stronger Weaker Permissive
Copyleft Copyleft licenses

Restrictive Permissive


Potential License Conflicts

 Proprietary licenses.
– Pay a fee
– Most don’t provide source

 Many OSS licenses allow restrictions on
end users (Apache 2), but GPL does not
 Some OSS licenses contain patent
termination clauses
 GPLv3 resolved incompatibilities with
Apache.


App Stores and FOSS Licenses
 GPL licensed app’s can not be distributed through the
Apple iTunes Store (or any store that imposes
restrictions)
– Apple ToS (terms of service) require that all software be licensed
for use on a single device only
– “Copylefted software can’t be un-freely relicensed, so it can’t be
transacted for under Apple’s current ToS” Eben Moglen, SFLC
– Just like GPLv2, GPLv3 prohibits distributors from placing additional
restrictions on the software through legal documents or similar
means” Brett Smith, Free Software Foundation

 Android stores
– “So far as we know…the Google Android market… do not place any
limitation on how a market participant’s application is licensed that
would inhibit distributing Android applications in the market under
copyleft licensing.” Eben Moglen, SFLC

 Permissive licenses (e.g., Apache, MIT, BSD) appear to
be compatible with app store ToS


Resources

 Webinar-based education:
– //www.blackducksoftware.com/webinars/legal/
– Introduction to Open Source Licenses
– Understanding the Top 10 Open Source Licenses
– Unraveling the Complexities of the GPL

 Black Duck Android white paper & webinar
– //www.blackducksoftware.com/android
– //www.blackducksoftware.com/webinars/legal/android.html


Agenda
– Resources

– Best Practices

 Summary


Issues for Device Manufacturers

How to control and manage building software on a
rapidly changing open-source operating system
with development forks, governed by multiple
licenses against an aggressive release cycle?

Typical concerns about Android:

 Uses the GPLv2 licensed Linux kernel
 Grown to a collection of ~165 different sub-components
 Written under ~19 different open source licenses
 Includes licenses that are reciprocal, and not all OSI-approved
Rapid change – averages a major release every 3 ¼ months


Android & Vendor Innovation

Developers

Typical areas of vendor/developer innovation
Source: Google - //source.android.com/


What’s Inside Android?

Android 2.3 (“Gingerbread”)

 165 Projects
– 83 are “External”
– Does not include Kernel Mirror

 Total Size
– Over 80,000 Files
– Over 2GB total size
– Does not include Kernel Mirror


A Look Inside Two Android Components:
Bionic & Webkit

License types in: Bionic License types in: Webkit

BSD 2.0* BSD 2.0
CMU License David M. Gay License
Cryptix License GPL 2.0
Free clause ICU License
FreeBSD LGPL 2.1*
Historical free MIT License V2
INRIA OSL MIT v2 with Ad Clause License
Intel OSL Mozilla Public License 1.1
Internet Software Consortium PCRE License
MIT Public Domain
Public Domain SWIG License
Python InfoSeek The wxWindows Library License
zlib/libpng License
X.Net License

*Declared license


Android 2.3: The Ingredients for “Gingerbread”

 Licenses
– Declared license: Apache 2.0
– Components reference 19 different licenses
– External components
 Linux, Webkit use reciprocal licenses (GPLv2,
LGPL)
– Other components: more than 30 of them use
reciprocal licenses (GPL, LGPL, CPL, etc.)
 e.g. dbus, grub, emma, e2fsprogs, bluez,
Bison
– Non-OSI approved licenses are used, including
OpenSSL and Bzip2


Managing FOSS in the Mobile Ecosystem and
Software Supply Chain
Out Source/ Your OS/Software Stack/Device
Offshore Company

Typical Smartphone has over 300 components
Corporate-Owned IP XML
Proprietary/Licensed IP Security
FOSS Networking
Outsourced development Email
Multi-level supply chains Graphics
Database
Web Services
Many more…

19 Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.

Meeting Open Source License Obligations

 There is no "mobile device" or small appliance exception
which alters obligations under open source licenses
 When there is an obligation to provide source code, the
obligation is met only by providing the source code for the
specific device that is owned by the person requesting the
code
 The benefits of an open platform place the burdens of
compliance on every vendor that ships the platform
 There is no “downstream defense for upstream” violations
 Managing complexity requires the establishment of
consistent processes


Legal and IP Issues Depend on Your Position
in the Ecosystem

 Middleware, component developer
– Integration of your code with FOSS has implications for
I your IP
n – How downstream customers use your code may impact
t your IP
e
 Device manufacturer
g
r – Responsible for the entire bundle of components from
suppliers
a
t – Device driver code– open source it or not?
i  Application developer
o
n – Integration of your code with FOSS has implications for
your IP
– Also impacts distribution options


Software Package Data Exchange™ (SPDX™)

 Working group of FOSSBazaar
(governance best practices group
under Linux Foundation)
 Charter:
 Create data exchange standards to enable
license and component information sharing
(metadata)
 Participation from over 16
organizations including software,
systems and tool vendors, consultants
and foundations


Best Practices for Managing Android

Policy Process Technology

 Adopt and enforce an open source and third-party
code policy
 Identify and track all external code that is used
 Automate validation at the point of acquisition and
development
 Automate monitoring and tracking of Android
components
 Control the use of components and promote
standardization
 Use automation tools to produce complete Bills of
Material and reports for supply chain partners

Summary

 Android is highly successful and is
changing the mobile and device
landscape
 Like many FOSS projects, there is
complexity inside
 The legal and IP issues depend on
your role in the mobile supply
chain/ecosystem
 Effective management and control
requires training, tools, and processes


Information Resources
 Mark Radcliffe’s blog on the Bionic library:
“Android and the Kernel: It’s not that simple”
– //lawandlifesiliconvalley.com/blog/?p=593

 Black Duck Android white paper & webinar
– //www.blackducksoftware.com/android
– //www.blackducksoftware.com/webinars/legal/android.html

Email: pvescuso@blackducksoftware.com


Thank You

Peter Vescuso
Black Duck Software
pvescuso@blackducksoftware.com

Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Mehr von Black Duck by Synopsys

Mehr von Black Duck by Synopsys (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues