Android has revolutionized the mobile and device landscape and like many FOSS projects, Android is complex. Effective management and control requires training, tools, processes and standards. The SPDX standard will reduce friction in the mobile supply chain, increase efficiency and promote compliance.
Welcome to the session. Great to be hereI’m EVP for Product Development and Strategy at Black DuckWe have a number of Customers that are producing Android devices and applications.Share with you information and issues about the Android Supply Chain, Open SPDX and OSS Licensing. However I am not a lawyer and don’t give legal adviseYou can stop by the Booth to learn more and will also give you pointers to additional information
Android is the clear winner and represents a huge market opportunityShows the power of OSS and community development
License compliance has been in the news recently
This is the Google Android Architecture diagramRun time on virtual machine External components like webkit and SSLApplication developers and device manufacturer will innovate at different places in the architecture as indicated by the yellow dots.Device Manufactures will modify lower in the architectureThe issue is depending on what you change, and what license the component is licensed under will dictate a set of obligations.
Bionic library – Declared license: BDSGoogle developed a custom library for the C compiler (libc) called Bionic. This was necessary for three main reasons: License: they wanted to keep GPL out of user-space. Bionic code uses the BSD license. (Hal Note – glibc is under the LGPL)Size: the library has to be loaded in each process, so it needs to be small. Bionic is about 200K, or half the size of glibc (the GNU version of libc).Speed: limited CPU power means it needs to be fast. Bionic has a small size and fast code paths, including a very fast and small custom pthread implementation.Bionic has built-in support for important Android-specific services such as system properties and logging. It doesn’t support certain POSIX features, like C++ exceptions and wide chars, which were not needed on Android. Thus it’s not quite compatible with the gnu libc. All native code must be compiled against bionic, not glibc.Bionic – google rewrite of c libWebkit – Declared license: LGPLOpen source web browser engineTool Kit for web functionalityIn both cases it is important to look below the declared license
Meeting obligation working with a supply chain in a dynamic environment makes complying with OSS obligation very, very challengingLegal council and Black Duck haven been approached with the question “This is a small device without documentation do the obligations apply to me”?If you ship a device with OSS in it, that counts as a distribution and the licenses and obligations apply to you. No exceptions for small devices or how little room on device for complianceWith the rapid product release cycle, products change frequently it becomes a real issue to match the precise source code to a device serial number. Must find a way to manage source code inventory and distributionReal benefit from open platform but If you ship the product you have the obligation. There is duplicate work being created my multiple vendors. There is an opportunity for industry collaboration. I speak about such an effort in two slides. No downstream defense for upstream violation. Some have thought well I got the code from someone else it is there responsibility to comply . Turn over responsibility for source code available or copyright obligation. Each organization is the supply chain is responsible for their own compliance.The only way to handle this obligation is top have a solid tracking and inventory system in place. Don’t want to duplicate work
Great discussion in the industry about app stores. License compatible, source code available, notifications, warranty, indemnificationHow to mange compliance while still enabling low cost distributionWill compliance with obligation raise the price of the application.Puts a cost and burden on the communityFSF in Europe has a focus group on app storesiTunes Terms of ServicePlaces an additional obligation on the software that it must be licensed for use on a single device.The GPL doesn’t allow for additional obligations.EbenMoglen – Founding director – SFLCVLC media player removed form iTunes in January 2011 for this reasonAndroid StoresGoogle Android store appear to be compatible with the GPL.Focus on lower cost applicationsNotice type of approach