This document discusses open source software adoption and licensing in composite projects. It notes that open source software adoption is nearly universal. Composite open source projects combine original code with third party code, resulting in mixed and sometimes hidden licensing. Properly understanding the licensing in composite projects requires examining declared project licenses, subfolder licenses, file licenses, and binaries, as hidden licenses may exist. Compatibility between licenses must also be considered. Formal open source project communities help manage licensing and governance. Due diligence is needed when using composite open source projects to understand all licenses to ensure compliance.
2. Confidential Protecode Inc. 2014
Agenda
Open Source Software Adoption and Creation
OSS Structure: Genesis vs Composite Projects
Licensing in Composite OSS Projects
Examples
Wrap-up and Q/A
2
Tiberius Forrester,
Director, Solution
Architecture
tforrester@protecode.com
3. Confidential Protecode Inc. 2014
OSS Market Penetration
Unstoppable growth
– 85% industry adoption (Gartner 2008)
– 98% worldwide adoption (Accenture 2010)
– 99% worldwide adoption (By 2016, Gartner)
Adoption at various levels
– Organizational level
– Personal level
Not a niche play
– Automotive, healthcare, financial
– Cloud, mobile, database, security
– Gaming, tools, imaging, aerospace
– Anything that includes any code!
3
4. Confidential Protecode Inc. 2014
Open Source Software
What is OSS
– A software development and distribution model where software license
guarantees certain freedoms
– Also see OSI definition (http://opensource.org)
The value
– Faster, functions, easier integration and customisation
– Interoperability, adoption of open standards
– No license costs
– Freedom from vendor lock ins
– Allows rapid development of complex software systems
– Hundreds of thousands of projects available
• Protecode GIPS Statistics:
– 2.2M packages,
– 0.5B OSS files
– 20B lines of code!
4
5. Confidential Protecode Inc. 2014
Adoption in Technology Organizations
Organizations and OSS
– Risk assessment
• Risk of being involved vs risk of not being involved
– Consideration -> Adoption -> Integral part of business
The most common factors affecting use of OSS in software
projects
– Concerns regarding intellectual property / licensing
– Concerns regarding the security of the software
– Service & support
– Product capabilities/maturity
– Difficulty of adoption / integration
– Software quality – end user satisfaction
– Software enhancements – innovation over time
– Viability of the open source community
5
6. Confidential Protecode Inc. 2014
Licensing challenges of OSS
Produced by large number of developers over time
– Bazaar model: policy of fast and frequent releases, release
candidates, possibility of governance impairments
Questionable due diligence efforts of committers
– Re-licensing efforts may not have been correctly handled
Code may:
– Contain nested packages with their own set of issues
– Contain code from books or community websites
– Implement patents
– Implement specifications that are subject to a license
– Contain code generated by a tool where the output could
be a derivative of input
– Contain or implement APIs that may have their own
obligations
6
7. Confidential Protecode Inc. 2014
OSS Project Communities
Provide support infrastructure
– Organizational, legal and in most cases financial
• Funding through membership fees
Examples:
– Linux Foundation
– Apache Software Foundation
– Eclipse Foundation
– Mozilla, Openstack, Django, Internet System Consortium (BIND
project), OpenLDAP, Drupal, Postgres, OpenSSL
Established processes for
– Defining governance & policies
– Managing collaboration, security, documentation, conflicts
Generally associated with continuous innovation, trusted
licensing, peer-reviewed quality
7
8. Confidential Protecode Inc. 2014
OSS Project Types
Genesis
– Homogenous licensing
– Original content, no 3rd party included in packages
Example: log4j
Composite
– Mixed or homogenous licensing
– Some original content, some 3rd party
Example: Vaadin
Distributions
– Mostly mixed licensing
– Mostly repackaged 3rd party
– Generally well structured, many packages
Example: 4MLinux
8
lib
9. Confidential Protecode Inc. 2014
Licensing in Composite Projects
Project license
– A top level license, or top level document listing applicable licenses
– Look for website information, LICENSE, COPYING, or README files
Subfolder licenses
– Indicate sub-level OSS projects
– Not always present
File licenses
Exceptions: subfolder holding binaries or libraries
– Generally do not have a license document
– You are on your own to determine the binary or library licenses
Beware: binaries may expand into many subcomponents
– With their own (hidden or undeclared) licenses
9
10. Confidential Protecode Inc. 2014
Licenses and Copyrights in Headers
10
Source: analysis of 0.5 Billion OSS files in
Protecode GIPSTM Database
11. Confidential Protecode Inc. 2014
Project and License Mixes
11
Percentage of OSS packages and variety of licenses mentioned in the
file headers
12. Confidential Protecode Inc. 2014
License Compatibility
Licenses with unacceptable terms
Licenses with conflicting terms
– Not all licenses are compatible
– Example: GPL (and its varieties) are incompatible with most other
licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)
12
17. Confidential Protecode Inc. 2014
More details in “flac” subfolder …
Care must be taken to
– investigate the whole package permissions,
– remove unnecessary files, or
– use later versions
17
18. Confidential Protecode Inc. 2014
Wrap up
18
If you do not use open source software, you will be left out
– Managed adoption of open source software
Open source projects are composite projects
– … unless proven otherwise
– Declared licenses may not match the visible, or hidden, sublicenses
OSS packages released by formal OSS communities are preferred
Compliance requires
– Knowledge of what OSS packages are used
– Access to OSS package, its licenses, description and notes
– Scanning of the package, determination of its composite nature, declared and
hidden licenses
– Ensuring the terms of the sublicenses are compatible and acceptable.
– Removing any component that is not needed
Prevention works better than correction
– Package pre-approval, due diligence during development, and at build time
19. Confidential Protecode Inc. 2014
About Protecode
Open source compliance and security vulnerability management
solutions
– Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
Accurate, usable and reliable products and services for organizations
worldwide
19