SlideShare ist ein Scribd-Unternehmen logo

Licensing in Composite Open Source Projects

Als PPTX, PDF herunterladen
Protecode
Protecode

This document discusses open source software adoption and licensing in composite projects. It notes that open source software adoption is nearly universal. Composite open source projects combine original code with third party code, resulting in mixed and sometimes hidden licensing. Properly understanding the licensing in composite projects requires examining declared project licenses, subfolder licenses, file licenses, and binaries, as hidden licenses may exist. Compatibility between licenses must also be considered. Formal open source project communities help manage licensing and governance. Due diligence is needed when using composite open source projects to understand all licenses to ensure compliance.

Software
1 von 21
Confidential Protecode Inc. 2014 1 Licensing in Composite Projects Protecode Webinar Series December 2014
Confidential Protecode Inc. 2014 Agenda  Open Source Software Adoption and Creation  OSS Structure: Genesis vs Composite Projects  Licensing in Composite OSS Projects  Examples  Wrap-up and Q/A 2 Tiberius Forrester, Director, Solution Architecture tforrester@protecode.com
Confidential Protecode Inc. 2014 OSS Market Penetration  Unstoppable growth – 85% industry adoption (Gartner 2008) – 98% worldwide adoption (Accenture 2010) – 99% worldwide adoption (By 2016, Gartner)  Adoption at various levels – Organizational level – Personal level  Not a niche play – Automotive, healthcare, financial – Cloud, mobile, database, security – Gaming, tools, imaging, aerospace – Anything that includes any code! 3
Confidential Protecode Inc. 2014 Open Source Software  What is OSS – A software development and distribution model where software license guarantees certain freedoms – Also see OSI definition (http://opensource.org)  The value – Faster, functions, easier integration and customisation – Interoperability, adoption of open standards – No license costs – Freedom from vendor lock ins – Allows rapid development of complex software systems – Hundreds of thousands of projects available • Protecode GIPS Statistics: – 2.2M packages, – 0.5B OSS files – 20B lines of code! 4
Confidential Protecode Inc. 2014 Adoption in Technology Organizations  Organizations and OSS – Risk assessment • Risk of being involved vs risk of not being involved – Consideration -> Adoption -> Integral part of business  The most common factors affecting use of OSS in software projects – Concerns regarding intellectual property / licensing – Concerns regarding the security of the software – Service & support – Product capabilities/maturity – Difficulty of adoption / integration – Software quality – end user satisfaction – Software enhancements – innovation over time – Viability of the open source community 5
Confidential Protecode Inc. 2014 Licensing challenges of OSS  Produced by large number of developers over time – Bazaar model: policy of fast and frequent releases, release candidates, possibility of governance impairments  Questionable due diligence efforts of committers – Re-licensing efforts may not have been correctly handled  Code may: – Contain nested packages with their own set of issues – Contain code from books or community websites – Implement patents – Implement specifications that are subject to a license – Contain code generated by a tool where the output could be a derivative of input – Contain or implement APIs that may have their own obligations 6
Confidential Protecode Inc. 2014 OSS Project Communities  Provide support infrastructure – Organizational, legal and in most cases financial • Funding through membership fees  Examples: – Linux Foundation – Apache Software Foundation – Eclipse Foundation – Mozilla, Openstack, Django, Internet System Consortium (BIND project), OpenLDAP, Drupal, Postgres, OpenSSL  Established processes for – Defining governance & policies – Managing collaboration, security, documentation, conflicts  Generally associated with continuous innovation, trusted licensing, peer-reviewed quality 7
Confidential Protecode Inc. 2014 OSS Project Types  Genesis – Homogenous licensing – Original content, no 3rd party included in packages Example: log4j  Composite – Mixed or homogenous licensing – Some original content, some 3rd party Example: Vaadin  Distributions – Mostly mixed licensing – Mostly repackaged 3rd party – Generally well structured, many packages Example: 4MLinux 8 lib
Confidential Protecode Inc. 2014 Licensing in Composite Projects  Project license – A top level license, or top level document listing applicable licenses – Look for website information, LICENSE, COPYING, or README files  Subfolder licenses – Indicate sub-level OSS projects – Not always present  File licenses  Exceptions: subfolder holding binaries or libraries – Generally do not have a license document – You are on your own to determine the binary or library licenses  Beware: binaries may expand into many subcomponents – With their own (hidden or undeclared) licenses 9
Confidential Protecode Inc. 2014 Licenses and Copyrights in Headers 10 Source: analysis of 0.5 Billion OSS files in Protecode GIPSTM Database
Confidential Protecode Inc. 2014 Project and License Mixes 11 Percentage of OSS packages and variety of licenses mentioned in the file headers
Confidential Protecode Inc. 2014 License Compatibility  Licenses with unacceptable terms  Licenses with conflicting terms – Not all licenses are compatible – Example: GPL (and its varieties) are incompatible with most other licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list) 12
Confidential Protecode Inc. 2014 Copyleft vs Permissive Licenses 13
Confidential Protecode Inc. 2014 Composite Project 1  Grails (www.grails.org) – Open source web application framework 14
Confidential Protecode Inc. 2014 Composite Project 2  PhantomJS (BSD licensed, but includes QT, and other LGPL licensed libraries) 15
Confidential Protecode Inc. 2014 Composite Project 3  OggCodecs – Directshow filters for Ogg Vorbis  Package analysed: 0.61.7571 16
Confidential Protecode Inc. 2014 More details in “flac” subfolder …  Care must be taken to – investigate the whole package permissions, – remove unnecessary files, or – use later versions 17
Confidential Protecode Inc. 2014 Wrap up 18  If you do not use open source software, you will be left out – Managed adoption of open source software  Open source projects are composite projects – … unless proven otherwise – Declared licenses may not match the visible, or hidden, sublicenses  OSS packages released by formal OSS communities are preferred  Compliance requires – Knowledge of what OSS packages are used – Access to OSS package, its licenses, description and notes – Scanning of the package, determination of its composite nature, declared and hidden licenses – Ensuring the terms of the sublicenses are compatible and acceptable. – Removing any component that is not needed  Prevention works better than correction – Package pre-approval, due diligence during development, and at build time
Confidential Protecode Inc. 2014 About Protecode  Open source compliance and security vulnerability management solutions – Reduce IP uncertainties, manage security vulnerabilities and ensure compliance  Accurate, usable and reliable products and services for organizations worldwide 19
Confidential Protecode Inc. 2014 Q/A 20
Confidential Protecode Inc. 2014 Because Code Travels www.protecode.com

Empfohlen

Licensing in Composite Projects
Licensing in Composite ProjectsLicensing in Composite Projects
Licensing in Composite ProjectsTiberius Forrester
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 
Best practices for simplifying software audits
Best practices for simplifying software auditsBest practices for simplifying software audits
Best practices for simplifying software auditsTiberius Forrester
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source ProjectShane Coughlan
 
OpenChain: How to manage OSS licenses for CI/CD development
OpenChain: How to manage OSS licenses for CI/CD developmentOpenChain: How to manage OSS licenses for CI/CD development
OpenChain: How to manage OSS licenses for CI/CD developmentShane Coughlan
 
Where’s the license?
Where’s the license?Where’s the license?
Where’s the license?Protecode
 
Open Source at Scania
Open Source at ScaniaOpen Source at Scania
Open Source at ScaniaShane Coughlan
 

Empfohlen

Licensing in Composite Projects
Licensing in Composite ProjectsLicensing in Composite Projects
Licensing in Composite ProjectsTiberius Forrester
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 
Best practices for simplifying software audits
Best practices for simplifying software auditsBest practices for simplifying software audits
Best practices for simplifying software auditsTiberius Forrester
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source ProjectShane Coughlan
 
OpenChain: How to manage OSS licenses for CI/CD development
OpenChain: How to manage OSS licenses for CI/CD developmentOpenChain: How to manage OSS licenses for CI/CD development
OpenChain: How to manage OSS licenses for CI/CD developmentShane Coughlan
 
Where’s the license?
Where’s the license?Where’s the license?
Where’s the license?Protecode
 
Open Source at Scania
Open Source at ScaniaOpen Source at Scania
Open Source at ScaniaShane Coughlan
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Source Code Control Limited
 
Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...OW2
 
OpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonOpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonShane Coughlan
 
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...Shane Coughlan
 
OpenChain Continual Improvement Case Studies
OpenChain Continual Improvement Case StudiesOpenChain Continual Improvement Case Studies
OpenChain Continual Improvement Case StudiesShane Coughlan
 
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...Shane Coughlan
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introShane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021Shane Coughlan
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageShane Coughlan
 
Open Source Software Concepts
Open Source Software ConceptsOpen Source Software Concepts
Open Source Software ConceptsJITENDRA LENKA
 
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote MessageOpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote MessageShane Coughlan
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalProtecode
 
Lunix xx
Lunix xxLunix xx
Lunix xxdhabiahbader
 
Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidaysBastian Feder
 
Free and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainFree and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainShane Coughlan
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Guide to Open Source Compliance
Guide to Open Source ComplianceGuide to Open Source Compliance
Guide to Open Source ComplianceSamsung Open Source Group
 
Osborne Clarke - OpenChain - FOSSmatrix
Osborne Clarke - OpenChain - FOSSmatrixOsborne Clarke - OpenChain - FOSSmatrix
Osborne Clarke - OpenChain - FOSSmatrixShane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021Shane Coughlan
 
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumGiving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumShane Coughlan
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Protecode
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 

Weitere ähnliche Inhalte

Was ist angesagt?

Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Source Code Control Limited
 
Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...OW2
 
OpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonOpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonShane Coughlan
 
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...Shane Coughlan
 
OpenChain Continual Improvement Case Studies
OpenChain Continual Improvement Case StudiesOpenChain Continual Improvement Case Studies
OpenChain Continual Improvement Case StudiesShane Coughlan
 
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...Shane Coughlan
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introShane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021Shane Coughlan
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageShane Coughlan
 
Open Source Software Concepts
Open Source Software ConceptsOpen Source Software Concepts
Open Source Software ConceptsJITENDRA LENKA
 
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote MessageOpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote MessageShane Coughlan
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalProtecode
 
Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidaysBastian Feder
 
Free and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainFree and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainShane Coughlan
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Osborne Clarke - OpenChain - FOSSmatrix
Osborne Clarke - OpenChain - FOSSmatrixOsborne Clarke - OpenChain - FOSSmatrix
Osborne Clarke - OpenChain - FOSSmatrixShane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021Shane Coughlan
 
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumGiving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumShane Coughlan
 

Was ist angesagt? (20)

Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
 
Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...
 
OpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonOpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - Lyon
 
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
 
OpenChain Continual Improvement Case Studies
OpenChain Continual Improvement Case StudiesOpenChain Continual Improvement Case Studies
OpenChain Continual Improvement Case Studies
 
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...
OpenChain Webinar #11 - Open Source Issues Remediation - Jari Koivisto - 2020...
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-intro
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
 
Open Source Software Concepts
Open Source Software ConceptsOpen Source Software Concepts
Open Source Software Concepts
 
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote MessageOpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-Approval
 
Lunix xx
Lunix xxLunix xx
Lunix xx
 
Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidays
 
Free and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainFree and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply Chain
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...
 
Guide to Open Source Compliance
Guide to Open Source ComplianceGuide to Open Source Compliance
Guide to Open Source Compliance
 
Osborne Clarke - OpenChain - FOSSmatrix
Osborne Clarke - OpenChain - FOSSmatrixOsborne Clarke - OpenChain - FOSSmatrix
Osborne Clarke - OpenChain - FOSSmatrix
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021
 
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumGiving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
 

Ähnlich wie Licensing in Composite Open Source Projects

Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Protecode
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Tiberius Forrester
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
Introduction to Open Source License and Business Model
Introduction to Open Source License and Business ModelIntroduction to Open Source License and Business Model
Introduction to Open Source License and Business ModelMohd Izhar Firdaus Ismail
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSNuno Brito
 
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Mindtrek
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Evernym
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
Open Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingAll Things Open
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industrialeBetter Software
 
Welcome to the FOSS4G Community
Welcome to the FOSS4G CommunityWelcome to the FOSS4G Community
Welcome to the FOSS4G CommunityJody Garnett
 
WP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webWP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webPaul Plaquette
 

Ähnlich wie Licensing in Composite Open Source Projects (20)

Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough?
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit?
 
HP Fossology v5.3
HP Fossology v5.3HP Fossology v5.3
HP Fossology v5.3
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Introduction to Open Source License and Business Model
Introduction to Open Source License and Business ModelIntroduction to Open Source License and Business Model
Introduction to Open Source License and Business Model
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSS
 
Open Development
Open DevelopmentOpen Development
Open Development
 
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
 
Open Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are using
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
 
Open Source ETL
Open Source ETLOpen Source ETL
Open Source ETL
 
OWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply ChainOWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply Chain
 
Welcome to the FOSS4G Community
Welcome to the FOSS4G CommunityWelcome to the FOSS4G Community
Welcome to the FOSS4G Community
 
WP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webWP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_web
 

Kürzlich hochgeladen

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 

Kürzlich hochgeladen (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 

Licensing in Composite Open Source Projects

  • 1. Confidential Protecode Inc. 2014 1 Licensing in Composite Projects Protecode Webinar Series December 2014
  • 2. Confidential Protecode Inc. 2014 Agenda  Open Source Software Adoption and Creation  OSS Structure: Genesis vs Composite Projects  Licensing in Composite OSS Projects  Examples  Wrap-up and Q/A 2 Tiberius Forrester, Director, Solution Architecture tforrester@protecode.com
  • 3. Confidential Protecode Inc. 2014 OSS Market Penetration  Unstoppable growth – 85% industry adoption (Gartner 2008) – 98% worldwide adoption (Accenture 2010) – 99% worldwide adoption (By 2016, Gartner)  Adoption at various levels – Organizational level – Personal level  Not a niche play – Automotive, healthcare, financial – Cloud, mobile, database, security – Gaming, tools, imaging, aerospace – Anything that includes any code! 3
  • 4. Confidential Protecode Inc. 2014 Open Source Software  What is OSS – A software development and distribution model where software license guarantees certain freedoms – Also see OSI definition (http://opensource.org)  The value – Faster, functions, easier integration and customisation – Interoperability, adoption of open standards – No license costs – Freedom from vendor lock ins – Allows rapid development of complex software systems – Hundreds of thousands of projects available • Protecode GIPS Statistics: – 2.2M packages, – 0.5B OSS files – 20B lines of code! 4
  • 5. Confidential Protecode Inc. 2014 Adoption in Technology Organizations  Organizations and OSS – Risk assessment • Risk of being involved vs risk of not being involved – Consideration -> Adoption -> Integral part of business  The most common factors affecting use of OSS in software projects – Concerns regarding intellectual property / licensing – Concerns regarding the security of the software – Service & support – Product capabilities/maturity – Difficulty of adoption / integration – Software quality – end user satisfaction – Software enhancements – innovation over time – Viability of the open source community 5
  • 6. Confidential Protecode Inc. 2014 Licensing challenges of OSS  Produced by large number of developers over time – Bazaar model: policy of fast and frequent releases, release candidates, possibility of governance impairments  Questionable due diligence efforts of committers – Re-licensing efforts may not have been correctly handled  Code may: – Contain nested packages with their own set of issues – Contain code from books or community websites – Implement patents – Implement specifications that are subject to a license – Contain code generated by a tool where the output could be a derivative of input – Contain or implement APIs that may have their own obligations 6
  • 7. Confidential Protecode Inc. 2014 OSS Project Communities  Provide support infrastructure – Organizational, legal and in most cases financial • Funding through membership fees  Examples: – Linux Foundation – Apache Software Foundation – Eclipse Foundation – Mozilla, Openstack, Django, Internet System Consortium (BIND project), OpenLDAP, Drupal, Postgres, OpenSSL  Established processes for – Defining governance & policies – Managing collaboration, security, documentation, conflicts  Generally associated with continuous innovation, trusted licensing, peer-reviewed quality 7
  • 8. Confidential Protecode Inc. 2014 OSS Project Types  Genesis – Homogenous licensing – Original content, no 3rd party included in packages Example: log4j  Composite – Mixed or homogenous licensing – Some original content, some 3rd party Example: Vaadin  Distributions – Mostly mixed licensing – Mostly repackaged 3rd party – Generally well structured, many packages Example: 4MLinux 8 lib
  • 9. Confidential Protecode Inc. 2014 Licensing in Composite Projects  Project license – A top level license, or top level document listing applicable licenses – Look for website information, LICENSE, COPYING, or README files  Subfolder licenses – Indicate sub-level OSS projects – Not always present  File licenses  Exceptions: subfolder holding binaries or libraries – Generally do not have a license document – You are on your own to determine the binary or library licenses  Beware: binaries may expand into many subcomponents – With their own (hidden or undeclared) licenses 9
  • 10. Confidential Protecode Inc. 2014 Licenses and Copyrights in Headers 10 Source: analysis of 0.5 Billion OSS files in Protecode GIPSTM Database
  • 11. Confidential Protecode Inc. 2014 Project and License Mixes 11 Percentage of OSS packages and variety of licenses mentioned in the file headers
  • 12. Confidential Protecode Inc. 2014 License Compatibility  Licenses with unacceptable terms  Licenses with conflicting terms – Not all licenses are compatible – Example: GPL (and its varieties) are incompatible with most other licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list) 12
  • 13. Confidential Protecode Inc. 2014 Copyleft vs Permissive Licenses 13
  • 14. Confidential Protecode Inc. 2014 Composite Project 1  Grails (www.grails.org) – Open source web application framework 14
  • 15. Confidential Protecode Inc. 2014 Composite Project 2  PhantomJS (BSD licensed, but includes QT, and other LGPL licensed libraries) 15
  • 16. Confidential Protecode Inc. 2014 Composite Project 3  OggCodecs – Directshow filters for Ogg Vorbis  Package analysed: 0.61.7571 16
  • 17. Confidential Protecode Inc. 2014 More details in “flac” subfolder …  Care must be taken to – investigate the whole package permissions, – remove unnecessary files, or – use later versions 17
  • 18. Confidential Protecode Inc. 2014 Wrap up 18  If you do not use open source software, you will be left out – Managed adoption of open source software  Open source projects are composite projects – … unless proven otherwise – Declared licenses may not match the visible, or hidden, sublicenses  OSS packages released by formal OSS communities are preferred  Compliance requires – Knowledge of what OSS packages are used – Access to OSS package, its licenses, description and notes – Scanning of the package, determination of its composite nature, declared and hidden licenses – Ensuring the terms of the sublicenses are compatible and acceptable. – Removing any component that is not needed  Prevention works better than correction – Package pre-approval, due diligence during development, and at build time
  • 19. Confidential Protecode Inc. 2014 About Protecode  Open source compliance and security vulnerability management solutions – Reduce IP uncertainties, manage security vulnerabilities and ensure compliance  Accurate, usable and reliable products and services for organizations worldwide 19
  • 21. Confidential Protecode Inc. 2014 Because Code Travels www.protecode.com