This session examines how Legal Counsel can help software development teams create an automated compliance process to make daily decisions related to open source licenses.

1. Siemens.comUnrestricted © Siemens AG 2016
Four practical steps to scale
legal support for OSS use
Black Duck Flight 16, October 5, 2016

2. Unrestricted © Siemens AG 2016
Page 2 Thomas Schubert (LC TE SL)
Help > About
 I joined Siemens 2013
 My team comprises five + nine members
 We support two major software-heavy divisions, Digital Factory
and Process Industries and Drives generating a combined
annual revenue of approximately 20 billion Euro.
 Our portfolio transitions from a hardware to a software world

3. Unrestricted © Siemens AG 2016
Page 3 Thomas Schubert (LC TE SL)
The Siemens Digital Enterprise Software Suite
enables our customers to plan, engineer, run and maintain their factories

4. Unrestricted © Siemens AG 2016
Page 4 Thomas Schubert (LC TE SL)
At Siemens, proper Software Clearing is the
foundation of a healthy Software business
Our clearing activities protect our software business, enabling us to
1. Maintain our ability to sell our products (faster)
2. Protect our proprietary and acquired IP from devaluation
3. Mitigate security vulnerabilities
4. Enable controlled contributions to the OSS Community
5. Protect Siemens from exposure caused by copyright trolls and “disgruntled employees”
Clearing ensures compliance with all license obligations of the third-party software in our products

5. Key OSS Challenges for
big software companies

6. Unrestricted © Siemens AG 2016
Page 6 Thomas Schubert (LC TE SL)
Challenge 1: Applications are complex and require in-depth analysis
Sample Application V1
Open Source Components
License 1
Obligation
1
Obligation
2
Obligation
N
License 2
Obligation
1
Obligation
2
Obligation
N
License N
Obligation
1
Obligation
2
Obligation
N
Commercial
Components
License
Obligation
1
Obligation
2
Obligation
N
Component
Bundles
License
Obligation
1
Obligation
2
Obligation
N

7. Unrestricted © Siemens AG 2016
Page 7 Thomas Schubert (LC TE SL)
Challenge 2: OSS packages are getting bigger as platforms evolve
1. A typical Application contains 30-80 OSS Components
2. Each OSS Component has an average of 5-20 licenses
 Extreme Example 1: Chromium, 212 licenses, >100,000 files
 Extreme Example 2: QT, >600 licenses, >130,000 files, includes Chromium
 Sometimes, the main license is permissive and sub-licenses are restrictive (e.g. GPL)
3. Each license has 3-15 obligations in average
 This could mean, e.g.: 50 components × 10 licenses × 10 obligations = 5,000 obligations
 Every release needs to go through this process (including minor releases, patches, fixes)
 There is very little help out there to efficiently manage this complexity (e.g., SPDX is not really relevant)
 The industry is moving to online-only deployment which likely increases compliance exposure

8. Unrestricted © Siemens AG 2016
Page 8 Thomas Schubert (LC TE SL)
Challenge 3: Alternative OSS licensees pose interpretation challenges
1. Cumulative Licensing
 Issue: Multiple cumulative licenses apply to the same code
 Example: BSD3 and MIT
 No decision required, both licenses apply
2. Variable Licensing
 Issue: A variable license applies to the code
 Example: GPL any version
 Decision required
3. Conditional Licensing
 Issue: License privilege applies if implementation meets a certain condition
 Example: GPL2 with Classpath exception
 Exception check required
4. Alternative Licensing
 Issue: Multiple alternative licenses apply to the same code
 Example: BSD or GPL2
 Decision required

9. Four steps to manage
these key challenges

10. Unrestricted © Siemens AG 2016
Page 10 Thomas Schubert (LC TE SL)
Step 1: Define sustainable Software Clearing operating model
Build the right
team
Establish
scalable
platform
Create high-
performance
operation

11. Unrestricted © Siemens AG 2016
Page 11 Thomas Schubert (LC TE SL)
Step 2: Agree clearing standard, improve checklists, deliver on time
 Define parameters
 Define risk appetite and level of OSS package analysis: Main license only or all licenses
 Agree license models: Inbound analysis must follow outbound (sale) license models
• Identify your complete set of legal outbound license models
• Clear inbound licenses in accordance with the outbound models (e.g. SaaS and Affero GPL)
• Don’t forget distribution models on the horizon (e.g. SaaS)
 Manage commercial suppliers: Do you (re-)do their work or accept a compliance risk?
 Align delivery
 Standardize license analysis: Reduce the number of obligations to a minimum (“Lean Legal”)
 Coordinate internal supply chains: Agree how to handle component bundles
 Document processes, offer training, eliminate manual work, reuse existing information
 Measure performance
 Measure clearing data and KPIs
 Obtain clarity on present and future demand for OSS (and also commercial software)

12. Unrestricted © Siemens AG 2016
Page 12 Thomas Schubert (LC TE SL)
Step 3: Never stop optimizing
Old Word report New database-driven report

13. Unrestricted © Siemens AG 2016
Page 13 Thomas Schubert (LC TE SL)
Step 4: Invest in Outsourcing
 Some clearing activities are repetitive
 Scanning
 Interpretation of simple commercial EULAs
 Scalability is very difficult to accomplish without outsourcing/offshoring
 An efficient operation requires near-shore or off-shore clearing teams (ideally with second source)
 A functioning outsourcing requires an upfront investment in the people