SlideShare uma empresa Scribd logo

Open Source Software Licence Compliance: Art or science?

Shane Coughlan
Shane Coughlan

These are the slides from the keynote entitled 'Open Source Software Licence Compliance: Art or science?' at the OpenChain Summit 2022, presented by Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP.

Direito
1 de 21
Baixar para ler offline
Open Source Software Licence Compliance: Art or science? Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP
The goal for OSS licence compliance… • Tooling which • Knows all the components you are using; • Knows exactly which licence is applicable to each component (including exceptions); • Can automatically generate a complete set of compliance artefacts; • Understands the terms you are trying to out-license on; • Understands the use case (distributable, app store, SaaS, containerized, embedded); • Generates build scripts and installation instructions where necessary; • Suggests remediation for potential problems; • Provides a repository which contains a set of pre-approved components; • Won’t allow/generates an error on build for non-compliance components.
The goal for OSS licence compliance… • Component sources which • Correctly identify the applicable licences • Correctly identify relevant dependencies • Correctly identify relevant dependencies for that particular build configuration • Have a reference implementation with correct compliance artefacts • We are confident do not have included code from elsewhere • Contain easily machine readable metadata covering the above
Challenges • The scale of the problem. An embedded system may contain over 100k components. • Legacy code does not use SPDX/REUSE etc. Much is being retrofitted, but sometimes it’s impossible. • Technology develops faster than compliance. Law develops slower than both • Containerization: where are all the components coming from? • Orchestration (e.g. Kubernetes) compounds this • What is “distribution”? • If you are not distributing to your client, but Docker is (for example), who must comply? • What about secondary liability? • An outsourced developer will frequently provide the compliance artefacts necessary to distribute the software to you….but insufficient information for you to distribute to your end users.
Real issues: examples from Linux Kernel File: arch/m68k/mac/config.c * Much of this was defined by Alan, based on who knows what docs. File: arch/arm/kernel/sys_arm.c * Copyright (C) People who wrote linux/arch/i386/kernel/sys_i386.c (The file sys_i386.c no longer exists in the source tree.) File: drivers/staging/rtl8192e/rtllib_softmac.c * WPA code stolen from the ipw2200 driver. * Copyright who own it's copyright. File: drivers/staging/rtl8192e/rtllib_softmac_wx.c * Some pieces of code might be stolen from ipw2100 driver * copyright of who own it's copyright ;-)
Real issues: examples from Linux Kernel File: arch/alpha/kernel/smc37c669.c * This software is furnished under a license and may be used and copied... (No licence is specified - hopefully it is compatible with the GPL) Some typically unclear attributions/copyright notices: File: arch/powerpc/platforms/chrp/pegasos_eth.c * And anyone else who helped me on this (Following a set of attributions) File: arch/um/drivers/daemon_kern.c * Copyright (C) 2001 by various other people who didn't put their name here.
Real examples: GPL Overreach SQLMap: GPL, but with an extended definition of “derivative work” which includes any software which * Executes sqlmap and parses the results (as opposed to typical shell or execution-menu apps, which simply display raw sqlmap output and so are not derivative works).
Code interaction – 3 axes of compliance To what extent must GPL code interact with other code to trigger the requirement for the other to be released under GPL? 1. How closely are the components combined? 2. How is the code delivered (distributed) to the user? 3. What sort of interface does the interaction use?
How closely are the components combined? a. running the two components on separate computers b. running the two components separate virtual machines c. running the two components in separate threads or processes d. running the two components sequentially in the same thread or process (e.g. as a plug in) e. running the two components dynamically linked f. running the two components statically linked g. combining the two components by inserting code from one into the other (e.g. copypaste)
How is the code delivered to the user? a. two components delivered separately at separate times, downloaded initiated by end-user b. two components delivered at the same time, with end-user explicitly accepting download of the copyleft component c. two components delivered simultaneously without the end-user’s explicit involvement, but are clearly separable within the package downloaded d. two components delivered simultaneously and pre-linked e. two components merged into one, inseparably.
How do the components communicate? a. two components communicate through command-line interface or some form of pre-existing inter process communication (e.g. SMTP, or pipes) b. two components communicate through an API which is publicly published and which pre-exists the copyleft component c. two components communicate through an API which is private but which can be demonstrated to pre-exist the copyleft component d. two components communicate through an API defined by the copyleft component e. two components are dynamically linked f. two components are statically linked g. two components are combined into a single executable, inseparably
So, do we need to apply GPL or not? 1. Establish how the interaction operates on all 3 axes. 2. The higher up the list the interaction is, in each case, the less is the likelihood of the problem. 3. Architect your application with this in mind. 4. This is not only a question of minimizing the possibility that you are infringing GPL (which is something only a judge can decide). It’s also about making it more difficult for a copyright holder to claim that you are.
General issues here: 1. The scope of secondary copyright liability (if I encourage, or provide instructions to, or automate a process which means that I am not distributing the code, but the end-user is, am I liable for secondary copyright liability?) 2. Is this true, even if what the end-user is doing is perfectly lawful in itself? 3. (Note: there are several, mainly US cases around Napster and Grokster etc. 4. Thought experiment: it was revealed some years ago that certain Intel CPUs contain a Management Engine running a variant of Minix. 1. If that software contained infringing components, could you, as the person owning and switching on the computer, be held liable? 2. Liability for copyright infringement is not dependent on knowledge or intent. Knowing about the IME, is that fair? 5. Conclusion: the main area where compliance is not being helped, is the law
Where to go from here? 1. Make it easier to find components with known licences, and better- defined dependencies - SPDX, REUSE, GitHub Licence Chooser 2. Clarify existing licence terms for older components - Please relicense to better known licences (and not to fauxpen licences) - Make the licensing information more consistent (e.g .Maven Central Repository) 3. Provide reference implementations, and example compliance materials - OpenChain, Oniro 4. But what about the law?
Blue Sky? How licensing works (in theory): • Developer A decides what rights they want to grant users, for all possible use cases. • Developer A works with legal advisers to either select a licence or draft a new one (!) • B decides they want to use A’s code, reads the licence (possibly with the help of the legal department). • B uses the code. • A thinks that B is infringing. An argument involving lawyers ensues. • A judge decides who’s right.
Blue Sky? How licensing works (in practice): • Developer A decides to write some software, and wants to open source it • A (hopefully) picks an existing licence which seems to do what they want, for most use cases. Possibly with the help of the legal dept. • B decides they want to use A’s code, and uses it in a way which is generally understood as acceptable (possibly with the help of the legal department). • B uses the code. • A thinks that B is infringing. An argument involving lawyers ensues. • A judge, who probably doesn’t know about FOSS decides who’s right.
Ultimately… A developer may have a pretty good idea of what permissions they want attached to their code, and what outcome they want for certain code combinations…. … but that clarity will be destroyed because the message is filtered through lawyers, the uncertain legal system (which differs between jurisdictions) and the ultimate arbiter is a judge, who may well know nothing about FOSS.
Is there a solution? • The law already acknowledges that the legal rights and obligations can be created without using natural language (e.g. derivatives). • Is it possible to remove the requirement that natural language is the only medium by which the rights and obligations of FOSS licences can be determined? • Can developers select a set of rights they want to apply to their code, and then an agreed algorithm determines how software interactions and compliance materials must be generated? • Can compliance (or at least a subset of it) become deterministic? • This won’t be perfect, but a developer may well settle with it being right 95% if the time.
Such an algorithm… • Must provide consistent and reproducible results. • Must have a mechanism for being updated as practice evolves. Challenges • How to deal with fair use/fair dealing? • As law becomes code (in the Lessig sense) how do we guard against bad actors manipulating governance or the algorithm. • How do we transition existing code into the algorithmic licence?
Conclusion • Compliance is getting more complex as the sheer number of components increases. • New technologies (containerization etc.) compound this • Compliance MUST be automated. There is great progress in this area. OpenChain, SPDX, REUSE frameworks, and technology from FOSSology, Scancode, SW360 and many more, including proprietary vendors, are making huge strides. • However, compliance is still, in part, an art, not a science. • The essence of open source is reducing friction. Can we reduce friction further by looking at the licensing process itself?
Open Source Software Licence Compliance: Art or science? Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP

Recomendados

10 things to know about the intersection of blockchain technology, open sourc...
10 things to know about the intersection of blockchain technology, open sourc...10 things to know about the intersection of blockchain technology, open sourc...
10 things to know about the intersection of blockchain technology, open sourc...Kyiv National Economic University
 
FITT Toolbox: Choosing the right License
FITT Toolbox: Choosing the right LicenseFITT Toolbox: Choosing the right License
FITT Toolbox: Choosing the right LicenseFITT
 
Open Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementOpen Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementSebastiano Cobianco
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project ManagementSemen Arslan
 
Open source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsOpen source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsRogue Wave Software
 
The Business Case for Open Source GIS
The Business Case for Open Source GISThe Business Case for Open Source GIS
The Business Case for Open Source GISJoanne Cook
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 

Recomendados

10 things to know about the intersection of blockchain technology, open sourc...
10 things to know about the intersection of blockchain technology, open sourc...10 things to know about the intersection of blockchain technology, open sourc...
10 things to know about the intersection of blockchain technology, open sourc...Kyiv National Economic University
 
FITT Toolbox: Choosing the right License
FITT Toolbox: Choosing the right LicenseFITT Toolbox: Choosing the right License
FITT Toolbox: Choosing the right LicenseFITT
 
Open Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementOpen Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementSebastiano Cobianco
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project ManagementSemen Arslan
 
Open source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsOpen source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsRogue Wave Software
 
The Business Case for Open Source GIS
The Business Case for Open Source GISThe Business Case for Open Source GIS
The Business Case for Open Source GISJoanne Cook
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Lesson 2
Lesson 2Lesson 2
Lesson 2Sandra Ahn
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web ApplicationMichael Choi
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher Jack Fletcher
 
WP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webWP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webPaul Plaquette
 
Internship msc cs
Internship msc csInternship msc cs
Internship msc csPooja Bhojwani
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnetrosu555
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Open Development
Open DevelopmentOpen Development
Open DevelopmentJody Garnett
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)dmgerman
 
Akash final-year-project report
Akash final-year-project reportAkash final-year-project report
Akash final-year-project reportAkash Rajguru
 
Legal and practical concerns with open source software
Legal and practical concerns with open source softwareLegal and practical concerns with open source software
Legal and practical concerns with open source softwareRogue Wave Software
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)Wail Hassan
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.combigclasses.com
 
Systems Administration
Systems AdministrationSystems Administration
Systems AdministrationMark John Lado, MIT
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 

Mais conteúdo relacionado

Semelhante a Open Source Software Licence Compliance: Art or science?

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web ApplicationMichael Choi
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher Jack Fletcher
 
WP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webWP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webPaul Plaquette
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnetrosu555
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)dmgerman
 
Akash final-year-project report
Akash final-year-project reportAkash final-year-project report
Akash final-year-project reportAkash Rajguru
 
Legal and practical concerns with open source software
Legal and practical concerns with open source softwareLegal and practical concerns with open source software
Legal and practical concerns with open source softwareRogue Wave Software
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)Wail Hassan
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.combigclasses.com
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 

Semelhante a Open Source Software Licence Compliance: Art or science? (20)

Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web Application
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher
 
WP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webWP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_web
 
Internship msc cs
Internship msc csInternship msc cs
Internship msc cs
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnet
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Open Development
Open DevelopmentOpen Development
Open Development
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
 
Akash final-year-project report
Akash final-year-project reportAkash final-year-project report
Akash final-year-project report
 
Legal and practical concerns with open source software
Legal and practical concerns with open source softwareLegal and practical concerns with open source software
Legal and practical concerns with open source software
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.com
 
Systems Administration
Systems AdministrationSystems Administration
Systems Administration
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 

Mais de Shane Coughlan

OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19Shane Coughlan
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleShane Coughlan
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06Shane Coughlan
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06Shane Coughlan
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09Shane Coughlan
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17Shane Coughlan
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxShane Coughlan
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...Shane Coughlan
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Shane Coughlan
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesShane Coughlan
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27Shane Coughlan
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30Shane Coughlan
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeShane Coughlan
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxShane Coughlan
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11Shane Coughlan
 
OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29Shane Coughlan
 

Mais de Shane Coughlan (20)

OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
 
OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29
 

Último

INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxnyabatejosphat1
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourBhavikaGholap1
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhaiShashankKumar441258
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULEsreeramsaipranitha
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书Fs Las
 
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxRRR Chambers
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书SS A
 
Indemnity Guarantee Section 124 125 and 126
Indemnity Guarantee Section 124 125 and 126Indemnity Guarantee Section 124 125 and 126
Indemnity Guarantee Section 124 125 and 126Oishi8
 
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881mayurchatre90
 
Debt Collection in India - General Procedure
Debt Collection in India - General ProcedureDebt Collection in India - General Procedure
Debt Collection in India - General ProcedureBridgeWest.eu
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书E LSS
 
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书Fs Las
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxfilippoluciani9
 
Introduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusionIntroduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusionAnuragMishra811030
 
Divorce Procedure in India (Info) (1).pdf
Divorce Procedure in India (Info) (1).pdfDivorce Procedure in India (Info) (1).pdf
Divorce Procedure in India (Info) (1).pdfdigitalnikesh24
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxMollyBrown86
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)Delhi Call girls
 

Último (20)

INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labour
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
 
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 7 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
 
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
 
Indemnity Guarantee Section 124 125 and 126
Indemnity Guarantee Section 124 125 and 126Indemnity Guarantee Section 124 125 and 126
Indemnity Guarantee Section 124 125 and 126
 
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
Negotiable Instruments Act 1881.UNDERSTAND THE LAW OF 1881
 
Debt Collection in India - General Procedure
Debt Collection in India - General ProcedureDebt Collection in India - General Procedure
Debt Collection in India - General Procedure
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
 
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
如何办理(Lincoln文凭证书)林肯大学毕业证学位证书
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
Introduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusionIntroduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusion
 
Old Income Tax Regime Vs New Income Tax Regime
Old Income Tax Regime Vs New Income Tax RegimeOld Income Tax Regime Vs New Income Tax Regime
Old Income Tax Regime Vs New Income Tax Regime
 
Divorce Procedure in India (Info) (1).pdf
Divorce Procedure in India (Info) (1).pdfDivorce Procedure in India (Info) (1).pdf
Divorce Procedure in India (Info) (1).pdf
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
 

Open Source Software Licence Compliance: Art or science?

  • 1. Open Source Software Licence Compliance: Art or science? Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP
  • 2. The goal for OSS licence compliance… • Tooling which • Knows all the components you are using; • Knows exactly which licence is applicable to each component (including exceptions); • Can automatically generate a complete set of compliance artefacts; • Understands the terms you are trying to out-license on; • Understands the use case (distributable, app store, SaaS, containerized, embedded); • Generates build scripts and installation instructions where necessary; • Suggests remediation for potential problems; • Provides a repository which contains a set of pre-approved components; • Won’t allow/generates an error on build for non-compliance components.
  • 3. The goal for OSS licence compliance… • Component sources which • Correctly identify the applicable licences • Correctly identify relevant dependencies • Correctly identify relevant dependencies for that particular build configuration • Have a reference implementation with correct compliance artefacts • We are confident do not have included code from elsewhere • Contain easily machine readable metadata covering the above
  • 4. Challenges • The scale of the problem. An embedded system may contain over 100k components. • Legacy code does not use SPDX/REUSE etc. Much is being retrofitted, but sometimes it’s impossible. • Technology develops faster than compliance. Law develops slower than both • Containerization: where are all the components coming from? • Orchestration (e.g. Kubernetes) compounds this • What is “distribution”? • If you are not distributing to your client, but Docker is (for example), who must comply? • What about secondary liability? • An outsourced developer will frequently provide the compliance artefacts necessary to distribute the software to you….but insufficient information for you to distribute to your end users.
  • 5. Real issues: examples from Linux Kernel File: arch/m68k/mac/config.c * Much of this was defined by Alan, based on who knows what docs. File: arch/arm/kernel/sys_arm.c * Copyright (C) People who wrote linux/arch/i386/kernel/sys_i386.c (The file sys_i386.c no longer exists in the source tree.) File: drivers/staging/rtl8192e/rtllib_softmac.c * WPA code stolen from the ipw2200 driver. * Copyright who own it's copyright. File: drivers/staging/rtl8192e/rtllib_softmac_wx.c * Some pieces of code might be stolen from ipw2100 driver * copyright of who own it's copyright ;-)
  • 6. Real issues: examples from Linux Kernel File: arch/alpha/kernel/smc37c669.c * This software is furnished under a license and may be used and copied... (No licence is specified - hopefully it is compatible with the GPL) Some typically unclear attributions/copyright notices: File: arch/powerpc/platforms/chrp/pegasos_eth.c * And anyone else who helped me on this (Following a set of attributions) File: arch/um/drivers/daemon_kern.c * Copyright (C) 2001 by various other people who didn't put their name here.
  • 7. Real examples: GPL Overreach SQLMap: GPL, but with an extended definition of “derivative work” which includes any software which * Executes sqlmap and parses the results (as opposed to typical shell or execution-menu apps, which simply display raw sqlmap output and so are not derivative works).
  • 8. Code interaction – 3 axes of compliance To what extent must GPL code interact with other code to trigger the requirement for the other to be released under GPL? 1. How closely are the components combined? 2. How is the code delivered (distributed) to the user? 3. What sort of interface does the interaction use?
  • 9. How closely are the components combined? a. running the two components on separate computers b. running the two components separate virtual machines c. running the two components in separate threads or processes d. running the two components sequentially in the same thread or process (e.g. as a plug in) e. running the two components dynamically linked f. running the two components statically linked g. combining the two components by inserting code from one into the other (e.g. copypaste)
  • 10. How is the code delivered to the user? a. two components delivered separately at separate times, downloaded initiated by end-user b. two components delivered at the same time, with end-user explicitly accepting download of the copyleft component c. two components delivered simultaneously without the end-user’s explicit involvement, but are clearly separable within the package downloaded d. two components delivered simultaneously and pre-linked e. two components merged into one, inseparably.
  • 11. How do the components communicate? a. two components communicate through command-line interface or some form of pre-existing inter process communication (e.g. SMTP, or pipes) b. two components communicate through an API which is publicly published and which pre-exists the copyleft component c. two components communicate through an API which is private but which can be demonstrated to pre-exist the copyleft component d. two components communicate through an API defined by the copyleft component e. two components are dynamically linked f. two components are statically linked g. two components are combined into a single executable, inseparably
  • 12. So, do we need to apply GPL or not? 1. Establish how the interaction operates on all 3 axes. 2. The higher up the list the interaction is, in each case, the less is the likelihood of the problem. 3. Architect your application with this in mind. 4. This is not only a question of minimizing the possibility that you are infringing GPL (which is something only a judge can decide). It’s also about making it more difficult for a copyright holder to claim that you are.
  • 13. General issues here: 1. The scope of secondary copyright liability (if I encourage, or provide instructions to, or automate a process which means that I am not distributing the code, but the end-user is, am I liable for secondary copyright liability?) 2. Is this true, even if what the end-user is doing is perfectly lawful in itself? 3. (Note: there are several, mainly US cases around Napster and Grokster etc. 4. Thought experiment: it was revealed some years ago that certain Intel CPUs contain a Management Engine running a variant of Minix. 1. If that software contained infringing components, could you, as the person owning and switching on the computer, be held liable? 2. Liability for copyright infringement is not dependent on knowledge or intent. Knowing about the IME, is that fair? 5. Conclusion: the main area where compliance is not being helped, is the law
  • 14. Where to go from here? 1. Make it easier to find components with known licences, and better- defined dependencies - SPDX, REUSE, GitHub Licence Chooser 2. Clarify existing licence terms for older components - Please relicense to better known licences (and not to fauxpen licences) - Make the licensing information more consistent (e.g .Maven Central Repository) 3. Provide reference implementations, and example compliance materials - OpenChain, Oniro 4. But what about the law?
  • 15. Blue Sky? How licensing works (in theory): • Developer A decides what rights they want to grant users, for all possible use cases. • Developer A works with legal advisers to either select a licence or draft a new one (!) • B decides they want to use A’s code, reads the licence (possibly with the help of the legal department). • B uses the code. • A thinks that B is infringing. An argument involving lawyers ensues. • A judge decides who’s right.
  • 16. Blue Sky? How licensing works (in practice): • Developer A decides to write some software, and wants to open source it • A (hopefully) picks an existing licence which seems to do what they want, for most use cases. Possibly with the help of the legal dept. • B decides they want to use A’s code, and uses it in a way which is generally understood as acceptable (possibly with the help of the legal department). • B uses the code. • A thinks that B is infringing. An argument involving lawyers ensues. • A judge, who probably doesn’t know about FOSS decides who’s right.
  • 17. Ultimately… A developer may have a pretty good idea of what permissions they want attached to their code, and what outcome they want for certain code combinations…. … but that clarity will be destroyed because the message is filtered through lawyers, the uncertain legal system (which differs between jurisdictions) and the ultimate arbiter is a judge, who may well know nothing about FOSS.
  • 18. Is there a solution? • The law already acknowledges that the legal rights and obligations can be created without using natural language (e.g. derivatives). • Is it possible to remove the requirement that natural language is the only medium by which the rights and obligations of FOSS licences can be determined? • Can developers select a set of rights they want to apply to their code, and then an agreed algorithm determines how software interactions and compliance materials must be generated? • Can compliance (or at least a subset of it) become deterministic? • This won’t be perfect, but a developer may well settle with it being right 95% if the time.
  • 19. Such an algorithm… • Must provide consistent and reproducible results. • Must have a mechanism for being updated as practice evolves. Challenges • How to deal with fair use/fair dealing? • As law becomes code (in the Lessig sense) how do we guard against bad actors manipulating governance or the algorithm. • How do we transition existing code into the algorithmic licence?
  • 20. Conclusion • Compliance is getting more complex as the sheer number of components increases. • New technologies (containerization etc.) compound this • Compliance MUST be automated. There is great progress in this area. OpenChain, SPDX, REUSE frameworks, and technology from FOSSology, Scancode, SW360 and many more, including proprietary vendors, are making huge strides. • However, compliance is still, in part, an art, not a science. • The essence of open source is reducing friction. Can we reduce friction further by looking at the licensing process itself?
  • 21. Open Source Software Licence Compliance: Art or science? Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP