Introduction to License Compliance and My research (D. German)

Introduction to License Compliance and My research (D. German)
Open Source License Compliance Daniel M German http://github.com/dmgerman/papers/  University of Victoria
Open Source is successful
Open Source is everywhere
My research goals
My research goals • To understand how OSS is developed
My research goals • To understand how OSS is developed • To help OSS development
My research goals • To understand how OSS is developed • To help OSS development • To document best practices for the adoption and use of OSS
Software Engineering Research Source Code
Software Engineering Research Source Code People
Software Engineering Research Source Code Organizations People
Software Engineering Research Source Code Organizations Software Ecosystems People
My research
Open Source Software My research
Mining Software  Repositories Open Source Software My research
Mining Software  Repositories Open Source Software Intellectual Property (copyright) My research
Mining Software  Repositories Open Source Software Intellectual Property (copyright) My research Empirical Studies
Mining Software  Repositories Open Source Software Intellectual Property (copyright) My research Empirical Studies Tools
OSS
OSS • OSS is software that is under an Open Source License
OSS • OSS is software that is under an Open Source License • The big shift: industry wants to use it • Car makers/Software developers/TVs/Phone/Internet-of- things…
OSS compliance “Is the way I reuse OSS compliant with its license?” 
Industry and OSS •Industry wants to reuse OSS •But wants to minimize its potential liability
License Compliance
License Compliance 1. Architectural Analysis
License Compliance 1. Architectural Analysis 2. Provenance Discovery
License Compliance 3. License Identification 1. Architectural Analysis 2. Provenance Discovery
Architectural Analysis • What are the components of a system? • How are they connected? • What files are part of what components? • What components are actually used?
Examples
Examples • Apple’s OS X:
Examples • Apple’s OS X: • Contains many open source components
Examples • Apple’s OS X: • Contains many open source components • Under a variety of licenses (although GPL-licensed components are being replaced with BSD-licensed ones)
Examples • Apple’s OS X: • Contains many open source components • Under a variety of licenses (although GPL-licensed components are being replaced with BSD-licensed ones) • FreeBSD
Examples • Apple’s OS X: • Contains many open source components • Under a variety of licenses (although GPL-licensed components are being replaced with BSD-licensed ones) • FreeBSD • Licensed under the BSD-2 license, but contains GPL’d software
Examples • Apple’s OS X: • Contains many open source components • Under a variety of licenses (although GPL-licensed components are being replaced with BSD-licensed ones) • FreeBSD • Licensed under the BSD-2 license, but contains GPL’d software • Disabled by default
International Conference in Software Engineering, 2009
International Conference in Software Engineering, 2009
Methods of interconnection: Linking Forking Subclassing Remote call Plugin International Conference in Software Engineering, 2009
Methods of interconnection: Linking Forking Subclassing Remote call Plugin International Conference in Software Engineering, 2009 Developers find innovative ways to deal with copyright licensing restrictions
Automated Software Engineering, 2014
Automated Software Engineering, 2014 Even “internal” license compliance of the system being developed is hard
Provenance Discovery • Provenance: • Evidence of origin, history and integrity • External: • Where does this module/file/snippet come from? • Internal: • How has this file being modified by the project?
Journal of Empirical Software Engineering, 2013
For effective provenance you need a very large corpus Journal of Empirical Software Engineering, 2013
For effective provenance you need a very large corpus Journal of Empirical Software Engineering, 2013 Tools without corpus are useless
For effective provenance you need a very large corpus Journal of Empirical Software Engineering, 2013 Tools without corpus are useless Industry does not want methods or tools; it wants consulting
License Identification • What is the license of this module/file/snippet?   
Automated Software Engineering, 2010 Ninka
Automated Software Engineering, 2010 Ninka Integrated into Fossology v3.0
Empirical Studies • What are the challenges of OSS creation and reuse? • Methods: • Mining software repositories • Surveys
• What are the different licenses used in GitHub? • What are the common license change patterns? • Why do they change? Journal of Empirical Software Engineering, 2017
• What are the different licenses used in GitHub? • What are the common license change patterns? • Why do they change? Most frequently: changes to licensing are documented but not explained Journal of Empirical Software Engineering, 2017
Int. Conf. Software Engineering, 2018
Int. Conf. Software Engineering, 2018 Licensing bugs are hard to fix
The Copyright Troll © Bob MacNeil/extremetech.com
https://www.heise.de/newsticker/meldung/Linux-in-Elektronikgeraeten-Streit-ueber-Lizenzbedingungen-geht-in-naechste-Instanz-3986181.html
Patrick McHardy
Patrick McHardy • Former chair of the Netfilter Core Development Team • Part of Linux; widely used
Patrick McHardy • Former chair of the Netfilter Core Development Team • Part of Linux; widely used • Has been seeking non-compliant reusers of the Linux Kernel • Allegedly for financial gain (it is estimated he has made more than €2M)
Patrick McHardy • Former chair of the Netfilter Core Development Team • Part of Linux; widely used • Has been seeking non-compliant reusers of the Linux Kernel • Allegedly for financial gain (it is estimated he has made more than €2M) • In 2016 he was suspended from the Netfilter Core Development Team
– Greg Kroah-Hartman et. al “While the kernel community has always supported enforcement efforts to bring companies into compliance, we have never even considered enforcement for the purpose of extracting monetary gain.” http://kroah.com/log/blog/2017/10/16/linux-kernel-community-enforcement-statement/
Geniatec vs McHardy  in the words of H. Welte (Netfilter) • “The court recognized that there is no co-authorship / joint authorship (German: Miturheber) in the Linux kernel as a whole, as it was not a group of people planning+developing a given program together, but it is a program that has been released by Linus Torvalds and has since been edited by more than 15.000 developers without any "grand joint plan" but rather in successive iterations. This situation constitutes "editing authorship" (German: Bearbeiterurheber)” • "The court further recognized that being listed as "head of the netfilter core team" or a "subsystem maintainer" doesn't necessarily mean that one is contributing copyrightable works. Reviewing thousands of patches doesn't mean you own copyright on them, drawing an analogy to an editorial office at a publisher.” • “The court understood there are plenty of Linux versions that may not even contain any of Patrick McHardy's code (such as older versions)” http://laforge.gnumonks.org/blog/20180307-mchardy-gpl/
But… • “The Linux kernel development model does not support the claim of Patrick McHardy having co-authored Linux. In so far, he is only an editing author (Bearbeiterurheber), and not a co-author. Nevertheless, even an editing author has the right to ask for cease and desist, but only on those portions that he authored/edited, and not on the entire Linux kernel.” • “The plaintiff did not sufficiently show what exactly his contributions were and how they were forming themselves copyrightable works” • “The plaintiff being a member of the netfilter core team or even the head of the core team still doesn't support the claim of being a co-author, as netfilter substantially existed since 1999, three years before Patrick's first contribution to netfilter, and five years before joining the core team in 2004.”
Important questions: • What has McHardy contributed to Linux? • What copyrightable material has he contributed to Linux? • What is currently in Linux? 
Context • 26.5 years of development • 806k changes • By 17k different persons • 63k files
Version control and Linux 1991-2002 NONE 2002-2005 Bitkeeper 2005 - today git
Version Control tracks lines
Linux Foundation Request • Can we know where every “character” of the source code of the Linux kernel comes from? 
Linux Foundation (sidebar) • The Linux Foundation (LF) is not Linux • LF is a “business league” (non for profit, industrial members) • Its goal: “Building sustainable ecosystems around open source projects to accelerate technology development and commercial adoption.” • It pays the salaries of Linus Torvalds and Greg Kroah-Hartman
Linux Foundation efforts • SPDX: Software Package Data Exchange (SPDX) • Document open source licenses • OpenChain • Documents good-practice processes to improve license compliance • CHAOSS: Community Health Analytics of Open Source Software • Create metrics to measure the “health” of an open source project
However… • cregit only tells us what change introduced what • Open questions: • What changes are copyrightable? • Where does the code in a change come from? • Is the person doing the change the copyright holder?
At a more holistic level • Who are the copyrights holders of: • A system/module/file/function/API • Is there “residual” IP when code is replaced with new code? • On purpose or by evolution
To summarize
http://turingmachine.org http://github.com/dmgerman/papers
To summarize
http://turingmachine.org http://github.com/dmgerman/papers

Check these out next

Introduction to License Compliance and My research (D. German)

Recomendados

Mais conteúdo relacionado

Apresentações para você(20)

Similar a Introduction to License Compliance and My research (D. German)(20)

Mais de dmgerman(9)

Último(20)

Introduction to License Compliance and My research (D. German)