O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Collaborative Open Source Compliance
Mindtrek 2016
17.10.2016
Martin von Willebrand
Chairman, Validos ry
Partner, HH Partn...
Validos ry
• Established 2008
• Validos helps members by producing open source
compliance services, based on member needs
...
Validos members as of 1 September 2016
Open source (OS) in a nutshell
Gilles Gonthier, Cc-By
OS Basics
• Open source, i.e. free software = software licensed with a license
that allows free use, examination, modifyin...
OS Basics
• What is open source?
– Effective sw development methodology
– Light-weight co-operation model
– Lower costs an...
OS Basics
• Compliance means acting rightfully, i.e. complying with laws, ethical
practices and in a sustainable way
• The...
OS Basics
• OS, OSS, FOSS
• Linux, linux distributions, GNU/Linux, Linus Torvalds
• Apache, could mean Apache Software Fou...
OSS Procurement / Use
• OSS is excellent for companies as a part of their
products and services
– Project deliveries
– Software products
– Servi...
How to Take OSS Into Use?
• Information on used packages needs to be in
the right place
• What processes are required?
– T...
Risk Management Perspective
• Why legal validation, i.e. compliance
• Two ~legal risk types
– Community risk, if non-compl...
Managing Risk
• Community Risk: Develop a good working relationship with OS-
community; create, maintain and communicate a...
OSS Publication
OSS Publication
• Organization creates software which it makes public in a git- or svn-
repository
• Developed code builds...
GPL License from User’s
Perspective
Managing Risk /
GPL v2
• A lot of misconceptions
• GPLv2 is NOT contagius, it contains reciprocity obligation (copyleft)
–...
Managing Risk,
GPL v2
• Copyleft and architecture trade practice
Thank you!
Próximos SlideShares
Carregando em…5
×

Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016

126 visualizações

Publicada em

Martin von Willebrand
Chairman, Validos ry
Partner, HH Partners Attorneys-at-law Ltd

Collaborative Open Source Compliance

Mindtrek 2016
17.10.2016

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016

  1. 1. Collaborative Open Source Compliance Mindtrek 2016 17.10.2016 Martin von Willebrand Chairman, Validos ry Partner, HH Partners Attorneys-at-law Ltd
  2. 2. Validos ry • Established 2008 • Validos helps members by producing open source compliance services, based on member needs • Open source enables many projects and products and speeds up development work, but complying with licenses is a challenge for everyone • Validos provides collaboration and top expertise • A growing database of 1000+ open source packages, extranet • Consultative services growing: policy and process consultation
  3. 3. Validos members as of 1 September 2016
  4. 4. Open source (OS) in a nutshell Gilles Gonthier, Cc-By
  5. 5. OS Basics • Open source, i.e. free software = software licensed with a license that allows free use, examination, modifying, copying and distribution without discrimination. May contain other terms. • Software which use is subject to same rules of nature than any other software: – Good and bad – Widely used and little used – Projects/sw which live long /short – Suitable / not suitable – Secure / non secure • Openness is a positive property – Which may result in unmanaged exploitation Gilles Gonthier, Cc-By
  6. 6. OS Basics • What is open source? – Effective sw development methodology – Light-weight co-operation model – Lower costs and increased speed for proprietary development – Business opportunity – Sw with an open source license iStockphoto.com
  7. 7. OS Basics • Compliance means acting rightfully, i.e. complying with laws, ethical practices and in a sustainable way • The golden rule of OSS Compliance: One must simultaneously satisfy the requirements of each applicable license. • If not possible, can’t be done.  Change of practices • In practice, risk appreciations needed. Gilles Gonthier, Cc-By
  8. 8. OS Basics • OS, OSS, FOSS • Linux, linux distributions, GNU/Linux, Linus Torvalds • Apache, could mean Apache Software Foundation, Apache License (1, 1.1 and 2), Apache http server Licenses • Copyleft i.e. reciprocity (NOT: viral effect, contagious, inheritance) • Permissive licenses: BSD, MIT, Apache and many others • Weak and strong copyleft / reciprocity – MPL – GPL, LGPL and Affero GPL (AGPL) Gilles Gonthier, Cc-By
  9. 9. OSS Procurement / Use
  10. 10. • OSS is excellent for companies as a part of their products and services – Project deliveries – Software products – Services over the Internet – (Developement, other internal use) – Business models • Use has to be managed • OSS is nothing special – Different types of software / packages / components – Choosing between alternatives: Same criteria as with closed software • OS licensing model is a benefit OSS Procurement and Use Lennysan, Cc-By
  11. 11. How to Take OSS Into Use? • Information on used packages needs to be in the right place • What processes are required? – Third party closed software is not taken into use without management (typically purchase process) • Typically needed, a process: – Selection – Validation • General technical and legal review • Specific review in relation to the applicable business model – Decision
  12. 12. Risk Management Perspective • Why legal validation, i.e. compliance • Two ~legal risk types – Community risk, if non-compliant • Community includes: 1) customers, employees of customers, 2) rest of downstream, 3) own employees, subcontractors 4) OSS-developers etc. • If realises results in badwill (”bad” corporate citizen) and increased legal risk – Legal risk, if non-compliant • Right holder intervenes: extra work, changing product, recalling products, destroying products, costs, compensations – Publication of own source code is a choice of the company iStockphoto.com
  13. 13. Managing Risk • Community Risk: Develop a good working relationship with OS- community; create, maintain and communicate a OS contact point for compliance matters • Comply with terms for distribution – act correctly, respect the authors, be active • Copyleft/reciprocity: create a sensible policy, and methods to address borderline cases – Take care of architecture questions (so called linking questions) – If needed, put requirements on the customer • Avoid being the distributor
  14. 14. OSS Publication
  15. 15. OSS Publication • Organization creates software which it makes public in a git- or svn- repository • Developed code builds upon or directly uses OSS components  need detailed OSS compliance – Do you distribute third party OSS software? • Dependencies – A lot! – Dependencies that are referred as a dependency list for build process and that are not in your own repository (other than the list) – Dependencies that need to be distributed in other connections, e.g. in production deployment. Easiest to fulfill obligations by distribute the source code in your repository  need detailed OSS compliance
  16. 16. GPL License from User’s Perspective
  17. 17. Managing Risk / GPL v2 • A lot of misconceptions • GPLv2 is NOT contagius, it contains reciprocity obligation (copyleft) – In order to distribute, must comply with reciprocity – No mechanism which would mean automatic licensing of a company’s own code under GPL v2 • Not aware of any such claim in any public court – Section 2 (introduction and sub-clause b) • GPL copyleft applies to distribution only (not e.g. use by yourself) – Does not apply to software as a service deliveries • Copyleft term includes some ambiguity – Distribution of GPL v2 licensed software with proprietary sw – When does copyleft apply? (In order to distribute…) – Can be put to perspective and solved
  18. 18. Managing Risk, GPL v2 • Copyleft and architecture trade practice
  19. 19. Thank you!

×