2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar. In this webinar, the panelists will discuss: - Open source and application security - Community-centered compliance as reflected in OpenChain and SPDX - The explosion of company involvement in collaborative projects - The direction of the VMware case and other topics we anticipate being hot this year Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.

1. 1 © 2016 Black Duck Software, Inc. All Rights Reserved.
Open Source Outlook:
Expected Developments for
2016

2. 2 © 2016 Black Duck Software, Inc. All Rights Reserved.
SPEAKERS
Phil Odence
Vice President & General
Manager
Karen Copenhaver
Partner at Choate Hall & Stewart
Counsel for the Linux Foundation
Mark Radcliffe
Partner at DLA Piper
General Counsel for the Open Source
Initiative (OSI)

3. 3 © 2016 Black Duck Software, Inc. All Rights Reserved.
OPEN SOURCE TRENDS- ALL UP AND TO THE RIGHT
2015
• 95% in mission critical apps
• in every industry
• >30%+ of a typical code base
• >1.5M projects
• Productivity
• Innovation

4. 4 © 2016 Black Duck Software, Inc. All Rights Reserved.
AGENDA
• Emphasis on Compliance
• Enforcement efforts have motivated community-centered compliance
as reflected in:
• SPDX
• OpenChain
• Training
• Principles of Community-Oriented GPL Enforcement
• Open source and application security
• Explosion of company involvement in collaborative projects
• New topics on the horizon

5. 5 © 2016 Black Duck Software, Inc. All Rights Reserved.
INCREASED IMPORTANCE OF COMPLIANCE
• What is so hard?
• Complex License
• Changing technical realities
• Complex products
• Complex supply chains
• Rapid release cycles
• Multi-jurisdictional
• Coordination of software licenses
• Multiple documents
• Presented at different times in the sales cycle to different people with different
authority
• Additional open source licenses
• Conflicting terms
• Complex nature of modern IT and involvement of third parties
means supply chain needs to be managed

6. 6 © 2016 Black Duck Software, Inc. All Rights Reserved.
PROGRESS!
• SPDX adoption continues and use cases expand.
• Open Chain has released a proposed specification and is moving
forward with a fully established project governance.
• The Linux Foundation, the nonprofit organization enabling mass
innovation through open source, today announced the availability
of Open Source Compliance Basics for Developers, a free course
designed to provide software developers with knowledge about
legal and licensing issues for building and using open source
software.
• Principles of Community-Oriented GPL Enforcement released by
SFC.

7. 7 © 2016 Black Duck Software, Inc. All Rights Reserved.
LITIGATION
• Concerns about Copyright Trolls
• Patent Troll – non-practicing entity with the sole focus of using leverage to
extract money from alleged infringers
• Copyright Troll – developer acting outside of community norms to extract
money based on compliance failures
• Open Source “monetizers”
• VMware litigation

8. 8 © 2016 Black Duck Software, Inc. All Rights Reserved.
ORACLE VS GOOGLE: COPYRIGHT IN JAVA API
• Litigation over use of Java API by Google in Android
• CAFC reverses district court decision in favor of Google
District court: 872 F. Supp.2d 974 (N.D. Cal. 2012);
CAFC: 750 F.3d 1339 (Fed. Cir. 2014), cert. denied, 83
U.S.L.W. 3929 (U.S. June 29, 2015)
• Remanded to district court
• CEOs met on April 15, 2016 and were not able to settle it
• Key issue: Scope of copyright protection for API (note: similar
issue in Hellwig v. VMware litigation)

9. 9 © 2016 Black Duck Software, Inc. All Rights Reserved.
HELLWIG V. VMWARE (WELTE BLOG OVERVIEW
1)
• VMware is alleged to be using arts of the Linux kernel in their
proprietary ESXi product, including the entire SCSI mid-layer,
USB support, radix tree and many, many device drivers.
• Linux is licensed under GNU GPLv2 with a “modification” by
Linus Torvalds
• VMware has modified all the code they took from the Linux kernel
and integrated it into something they call vmklinux.
• VMware has modified their proprietary virtualization OS kernel
vmkernel with specific API/symbol to interact with vmklinux
• vmklinux and vmkernel interaction is uncertain

10. 10 © 2016 Black Duck Software, Inc. All Rights Reserved.
HELLWIG V. VMWARE (WELTE BLOG OVERVIEW
2)
• The judges acknowledged that this case is important and one of
first impression in Germany
• The judges understands that Linux is a collaborative, community-
developed operating system, and that the development process
is incremental and involves many authors.
• The judges understands and acknowledges that much discussion
has occurred about interfaces between different programs or
parts of a program, and that there are a variety of different
definitions and many interpretations of what interfaces are

11. 11 © 2016 Black Duck Software, Inc. All Rights Reserved.
HELLWIG V. VMWARE (WELTE BLOG OVERVIEW
3)
• Judges focused on amount of “copyright” material owned by
Hellwig which is claimed to be incorporated into the VMware
program
• VMware defense is, in part, that it could find very few functions
that could be attributed to Hellwig (less than 1% of the Linux code
used by VMware)
• Are vmkernel and vmklinux one of the following from a copyright
point of view:
• Separate programs / works
• One program / work

12. 12 © 2016 Black Duck Software, Inc. All Rights Reserved.
LEGACY OF VERSATA
• Focus on hybrid product licensing: getting licensing correct and
avoiding the Versata problem
• Will terminated licensees regularly raise the defense of “integration” with
GPLv2 licensed code?
• Will warranty claims against licensors arise from poorly drafted licenses
become common?

13. 13 © 2016 Black Duck Software, Inc. All Rights Reserved.
LF COLLABORATIVE PROJECTS LAUNCHED IN 2015

14. 14 © 2016 Black Duck Software, Inc. All Rights Reserved.
TORT LIABILITY FOR SOFTWARE
• “Broadly speaking, a tort is a civil wrong, other than a breach of
contract, for which the court will provide a remedy in the form of
an action for damages.”
• Theories
• Negligence
• Strict liability
• Manufacturing defect
• Design defect
• Inadequate warning
• Limits: Economic loss doctrine, limited to personal damages and
property damages (no lost profits)

15. 15 © 2016 Black Duck Software, Inc. All Rights Reserved.
NEGLIGENCE THEORY
• § 282. Negligence Defined
• In the Restatement of this Subject, negligence is conduct which falls below
the standard established by law for the protection of others against
unreasonable risk of harm. It does not include conduct recklessly
disregardful of an interest of others.
• § 285. How Standard of Conduct is Determined.
• The standard of conduct of a reasonable man may be established by a
legislative enactment or administrative regulation which so provides, or
adopted by the court from a legislative enactment or an administrative
regulation which does not so provide, or established by judicial decision, or
applied to the facts of the case by the trial judge or the jury, if there is no such
enactment, regulation, or decision.

16. 16 © 2016 Black Duck Software, Inc. All Rights Reserved.
STRICT LIABILITY IN TORT
• § 402A. Special Liability of a Seller of Product for Physical
Harm to User or Consumer.
• A product is defective when, at the time of sale or distribution, it contains a
manufacturing defect, is defective in design, or is defective because of
inadequate instructions or warnings. A Product:
• contains a manufacturing defect when the product departs from its intended
design even though all possible care was exercised in the preparation and
marketing of the product;
• is defective in design when the foreseeable risks of harm posed by the product
could have been reduced or avoided by the adoption of a reasonable alternative
design by the seller or other distributor, or a predecessor in the commercial chain
of distribution, and the omission of the alternative design renders the product not
reasonably safe;
• is defective because of inadequate instructions or warnings when the foreseeable
risks of harm posed by the product could have been reduced or avoided by the
provision of reasonable instructions or warnings by the seller or other distributor,
or a predecessor in the commercial chain of distribution, and the omission of the
instructions or warnings renders the product not reasonably safe.

17. 17 © 2016 Black Duck Software, Inc. All Rights Reserved.
CHALLENGES TO APPLICATION OF TORT TO SOFTWARE
• Negligence
• Lack of reasonable man
• Proof of causation
• Substantial factor
• Strict Liability
• Limited to certain types of products
• Policy decision by courts
• ALM: Court’s reluctance to impose liability on products that cannot be
manufactured “perfectly”

18. 18 © 2016 Black Duck Software, Inc. All Rights Reserved.
DECISIONS
• Little coherence
• Winter v. Putnam (1991)
• Dicta, not decision: Computer software should be subject to strict liability in
tort
• Toyota MDL Litigation for Unintended Acceleration
• Complex causation issues
• Software development procedures
• Hou-tex v. Landmark Graphics
• Defective software due to failure to update but no liability because it mistaken
well was “economic loss”

19. 19 © 2016 Black Duck Software, Inc. All Rights Reserved.
SECURITY FUNDAMENTALS
• Know what code you are using
• In your operations
• Know what code you are delivering to your customers
• Use quality code
• It is not the license
• It is the community
• Core Infrastructure Initiative
• Apply all available security patches immediately
• Upstream your modifications
• Consume tested code

20. 20 © 2016 Black Duck Software, Inc. All Rights Reserved.
INCREASING NUMBER OF OSS VULNERABILITIES
Reference: Black Duck Software knowledgebase, NVD, VulnDB
0
500
1000
1500
2000
2500
3000
3500
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open Source Vulnerabilities Reported Per Year

21. 21 © 2016 Black Duck Software, Inc. All Rights Reserved.
COMPUTER AUTHORSHIP OF SOFTWARE

22. 22 © 2016 Black Duck Software, Inc. All Rights Reserved.
WHO IS AN AUTHOR?
• Facts: Monkey uses camera to take selfies: Naruto (PETA) vs
David John Slater (January 26, 2016, N.D. Cal.)
• Rely on the statute and case law
• Statute does not determine
• Case law refers to “humans beings” and persons”
• Compendium of U.S. Copyright Office Practices (2014)
• [t]o qualify as a work of `authorship' a work must be created by a human
being. Works that do not satisfy this requirement are not copyrightable
• Similarly, the Office will not register works produced by a machine or mere
mechanical process that operates randomly or automatically without any
creative input or intervention from a human author.

23. 23 © 2016 Black Duck Software, Inc. All Rights Reserved.
HISTORY OF COMPUTERS AS AUTHORS
• Raised by Register of Copyright in 1965
• CONTU Report (review of certain issues in 1976 Act):
• "On the basis of its investigations and society's experience with the
computer, the Commission believes that there is no reasonable basis for
considering that a computer in any way contributes authorship to a work
produced through its use”
• Rationale (Professor Samuelson)
• The system has allocated rights only to humans for a very good reason: it
simply does not make any sense to allocate intellectual property rights to
machines because they do not need to be given incentives to generate
output.

24. 24 © 2016 Black Duck Software, Inc. All Rights Reserved.
ANDROID & EU
• 2015 Announcement of Investigation
• 2016 (April 20, 2016) Announcement of charges by Margrethe Vestager
• http://europa.eu/rapid/press-release_MEMO-16-1484_en.htm
• Pre-installed apps: The Commission's investigation showed that Google obliges
manufacturers, who wish to pre-install Google's app store for Android, Play Store, on
their devices, to also pre-install Google Search, and set it as the default search
provider on those devices. In addition, manufacturers who wish to pre-install Google's
Play Store or Search, also have to pre-install Google's Chrome browser. Thereby,
Google has ensured that Google Search and Google Chrome are pre-installed on
the significant majority of devices sold in the EEA.
• Anti-fragmentation :if a manufacturer wishes to pre-install Google proprietary apps,
including Google Play Store and Google Search, on any of its devices, Google requires
it to enter into an "Anti-Fragmentation Agreement" that commits it not to sell devices
running on Android forks.
• Exclusivity: Google has granted significant financial incentives to some of the
largest smartphone and tablet manufacturers as well as mobile network
operators on condition that they exclusively pre-install Google Search on
their devices

25. 25 © 2016 Black Duck Software, Inc. All Rights Reserved.
STRATEGY FOR FOSS ENGAGEMENT
• Tighten compliance
• Work on simple issues such as notices, license text, written offer and source
code offer
• Work on compliance by supply chain vendors
• Become better FOSS community members (and be seen to be
better members):
• contribute code to projects
• be visible and approachable
• participate in events and conferences
• share knowledge
• most importantly: help shape and reinforce community norms and
expectations on compliance

26. 26 © 2016 Black Duck Software, Inc. All Rights Reserved.
SUMMARY FOR SOFTWARE DISTRIBUTORS
• Understand what FOSS is included in your products.
• Develop a FOSS use (and management) policy to ensure that
you understand your obligations and can comply with them (for
an overview of FOSS and FOSS governance see
https://www.blackducksoftware.com/resources/webinar/introducti
on-open-source-software-and-licensing).
• Review your distribution agreements to ensure that they take into
account any terms imposed by FOSS in your product and modify
those terms as appropriate.

27. 27 © 2016 Black Duck Software, Inc. All Rights Reserved.
QUESTIONS?
Follow us!