Apidays New York 2024 - The value of a flexible API Management solution for O...
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
1. Copyright 2012 Bryan Cave
October 24, 2012
Jason D. Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
Open Source Software License ComplianceOpen Source Software License Compliance
in Cloud Computingin Cloud Computing
2. Copyright 2012 Bryan Cave
Open Source Software
This presentation is intended for general informational purposes only and should not
be construed as legal advice or legal opinion on any specific facts or circumstances,
nor is it intended to address specific legal compliance issues that may arise in
particular circumstances. Please consult counsel concerning your own situation and
any specific legal questions you may have.
The thoughts and opinions expressed in this presentation are those of the individual
presenters and do not necessarily reflect the official or unofficial thoughts or opinions
of their employers.
For further information regarding this presentation, please contact the presenter(s)
listed in the presentation.
Unless otherwise noted, all original content in this presentation is licensed under the
Creative Commons Creative Commons Attribution-Share Alike 3.0 United States
License available at: http://creativecommons.org/licenses/by-sa/3.0/us.
Disclaimer and Rights
9. Copyright 2012 Bryan Cave
Steve Ballmer
CEO,
Speaking at a Microsoft
event in Singapore
“I'm not sure my goal for today is going to be to
actually explain it to you, but I do want to make
sure that people understand that I think everybody
in our industry accepts it's the next major
transition point in terms of how IT gets done.”
What is Cloud Computing?
11. Copyright 2012 Bryan Cave
NIST Definition
• Initial NIST draft definition – April 2009
• Final NIST definition – September 2011
What is Cloud Computing?
Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or
service provider interaction. This cloud model is composed of
five essential characteristics, three service models, and four
deployment models.
12. Copyright 2012 Bryan Cave
NIST Definition
• Initial NIST draft definition – April 2009
• Final NIST definition – September 2011
What is Cloud Computing?
Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or
service provider interaction. This cloud model is composed of
five essential characteristics, three service models, and four
deployment models.
13. Copyright 2012 Bryan Cave
NIST Definition - Essential Characteristics
• On-demand/self-service
• Broad network access
• Standard access mechanisms
– Thin client (e.g., browser) or thick client (e.g., program interface)
– Multiple devices (e.g., mobile phones, tablets, laptops, workstations)
• Resource pooling (multi-tenant model) and location independence
• Rapid elasticity in provisioning and release
• Measured service (resource usage is monitored, controlled,
and reported)
What is Cloud Computing?
14. Copyright 2012 Bryan Cave
NIST Definition - Service Models
• Software as a Service (SaaS)
– Standard applications running on a cloud infrastructure
– Accessible through various devices
– Consumer does not manage or control the underlying cloud infrastructure
• Platform as a Service (PaaS)
– Consumer-created or acquired applications deployed on a cloud infrastructure
– Accessible through various devices
– Consumer does not manage or control the underlying cloud infrastructure
• Infrastructure as a Service (IaaS)
– Consumer-created or acquired software deployed on consumer-provisioned
cloud computing resources (e.g., processing, storage, networks, etc.)
– Accessible through various devices
– Consumer does not manage or control the underlying cloud infrastructure
– But does control operating systems, storage, and deployed software
What is Cloud Computing?
15. Copyright 2012 Bryan Cave
NIST Definition - Deployment Models
• Private cloud
– Provisioned for exclusive use by a single organization
– May include multiple consumers (e.g., business units) within that organization
– Owned, managed, and operated by the organization or by a third party
• Community cloud
– Provisioned for exclusive use by multiple organizations having shared concerns
(e.g., mission, security, policy, privacy, or compliance)
– Owned, managed, and operated by the organizations or by a third party
• Public cloud
– Provisioned for use by the general public
– Owned, managed, and operated by the organization providing the service
• Hybrid cloud
– Two or more distinct cloud infrastructures (private, community, or public)
– Interfaced to enable data and application portability
What is Cloud Computing?
29. Distribution occurs via:
• Sub is sold to 3rd party
• Software shared with “partner”
during further development
• Change in technical or business
model requires use by end users
• Permissions granted by OSS licenses are dependent on the
way in which the OSS is used
• Be wary of changes in the use of OSS over its lifecycle
In-license of
OSS under GPL
• Revisions made to OSS
• Linked to or bundled with
proprietary code
Use by wholly
owned sub
• Initial analysis is important
• Equally important to refresh when use changes
Internal Use
Changing Use of OSS
Legal Issues
30. Copyright 2012 Bryan Cave
Open source software is
licensed software
Open Source Licenses
Open source licenses
make the software “open source”
31. Copyright 2012 Bryan Cave
Open source licenses are
dependent on copyright laws
Open source licenses are
not anti-copyright
Open Source Licenses
32. Copyright 2012 Bryan Cave
“Copyleft”
All Rights Reversed
Copyright
All Rights Reserved
Open Source Licenses
33. Copyright 2012 Bryan Cave
• Open source software licensing has arisen (at least in part) as a
response to the advance of copyright law
• In the US, this is the Copyright Act of 1976 (17 U.S.C. §§ 101 – 810)
• Under the Copyright Act, a copyright attaches to “original works of
authorship, fixed in a tangible medium of expression” (See § 102)
• The Copyright Act allows only very narrow means for an author to
“opt-out” of receiving a copyright on an otherwise copyrightable work
• Computer software is generally viewed as being potentially
copyrightable subject matter
Open Source Licenses Depend on Copyright
Open Source Licenses
34. Copyright 2012 Bryan Cave
• Open source licensing relies on the ability of a copyright owner to
choose how to enforce (or not enforce) the copyright in his or her
software
• Each open source license is intended to act as a set of permissions
(and restrictions) granted by a copyright owner under their copyright
• Like most licenses (or contracts), open source licenses have limits
• Unlike proprietary licenses, these limits generally allow for more
“open” or “free” use of the software
• The limits of each open source license comply with a document
called the “Open Source Definition”
Open Source Licenses Depend on Copyright
Open Source Licenses
35. Copyright 2012 Bryan Cave
• The “Open Source Definition” (OSD) articulates the
“distribution terms” with which licenses must comply
to be considered “open source”
– Availability of source code
– Free redistribution
– Availability of “derived works”
– Integrity of the author’s source code
– No discrimination against persons or groups
– No discrimination against fields of endeavor
– License must travel with the software
– License not dependent on particular software distribution
– License does not restrict other software
– License technology neutral
• Used by the Open Source Initiative (OSI) to approve licenses as
“open source”
The Open Source Definition
Open Source Licenses
36. Copyright 2012 Bryan Cave
Approved Open Source Licenses
• The OSI maintains a program to approve licenses as compliant
with the OSD
• Nearly 70 different licenses approved as “open source” by the OSI
– All implement the OSD, each with its own specific terms
– One definition, many different types of licenses
• Many more unapproved “open source” licenses exist
– Never formally approved by the OSI, but comply with the OSD
– Still refer to themselves (and referred to by others) as “open source”
• Many other licenses are referred to as “open source” but are anything but
– Perhaps based in some part on the OSD or on an OSI-approved license
– No guarantee of compliance with the OSD
Open Source Licenses
37. Copyright 2012 Bryan Cave
Just how different
are open source licenses?
Open Source Licenses
38. Copyright 2012 Bryan Cave
CopyleftAcademic
Very
Permissive
• Berkley Software
Distribution License
(BSD)
• MIT License
• W3C
Less
Permissive
• Apache Software
License
• Eclipse Public License
• Artistic License
Less
Restrictive
• Mozilla Public License
(MPL)
• Common
Development and
Distribution License
(CDDL)
• Common Public
License (CPL)
• IBM Public License
More
Restrictive
• GNU GPL v2
• GNU GPL v3
• GNU LGPL v2.1
• GNU LGPL v3
• Affero GPL v3
Many Varied Consequences
Open Source Licenses
39. Copyright 2012 Bryan Cave
Example: BSD License
• Triggered by “Redistribution" and use”
• Express conditions apply to “redistributions”
• Does it matter given the permissive nature of the BSD?
Open Source Licenses
40. Copyright 2012 Bryan Cave
Example: Apache License (v2.0)
• Permits the ability to “freely download and use”
the covered software
• Express conditions are triggered upon
redistribution
Open Source Licenses
41. Copyright 2012 Bryan Cave
Example: Mozilla Public License (v1.1)
• Does not apply to “private modification and distribution”
• “Private” includes “inside a company or organization”
• Does not clarify what counts as “inside”
Open Source Licenses
42. Copyright 2012 Bryan Cave
Open Source Licenses
Example: Mozilla Public License (v2.0)
• Does not apply to “private modification and distribution”
• “Private” includes “inside a company or organization”
• Does not clarify what counts as “inside”
43. Copyright 2012 Bryan Cave
Example: GPLv2
• Triggered by distribution
• Merely running the program for internal use is not restricted
Open Source Licenses
44. Copyright 2012 Bryan Cave
Increasingly, it’s not
just about “distribution”
Open Source Licenses
45. Copyright 2012 Bryan Cave
Example: GPLv3
• Not triggered directly by a “distribution” but by a “conveyance”
• Conveyances expressly exclude
– Executing on a computer or making a “private” copy
– Use over a network
Open Source Licenses
46. Copyright 2012 Bryan Cave
“So doesn’t this mean that the GPL
is the new BSD license. . . and that
Google is the new Microsoft ?”
Bradley Kuhn
Former executive director of the FSF
Open Source Licenses
47. Copyright 2012 Bryan Cave
Example: AGPLv3
• Expressly covers use over a network
• Treats use over a network as a conveyance is treated under GPLv3
(or as a distribution is treated under GPLv2)
Open Source Licenses
48. Copyright 2012 Bryan Cave
What constitutes a
“distribution” of software?
Open Source Licenses
49. Copyright 2012 Bryan Cave
• In the U.S., the Copyright Act provides copyright owners with
five exclusive rights (See §106)
– Reproduce
– Distribute
– Display (publicly)
– Perform (publicly)
– Prepare derivative works
• “Distribution” itself is not defined by the Act
• But the Act does provide some guidance
• The right of “distribution” is framed by additional language in §106
– Distribution of copies (or phonorecords)
– To the public
– By transfer (sale, rental, lease, or lending)
Distribution Under Copyright Law
Open Source Licenses
50. Copyright 2012 Bryan Cave
• A “publication” is defined in §101 of the Act
• Requires the exchange of an actual physical copy
• The Act links the two terms
– States that offering to distribute copies to others “for purposes of further
distribution” constitutes a publication (§101)
– Contrasts publication from a public performance or display
• Courts have also likened the right of distribution to a publication
(See, e.g., Harper & Row v. Nations Enterprises, 471 U.S. 539 (1985))
• History of the Act also supports a connection between the two terms
(prior versions of U.S. copyright law prior to the Copyright Act of 1976)
• Attempts to extend the definition of “distribution” to include “making
available” (without the exchange of an actual physical copy) have met with
resistance from the courts
• This can be very country specific
Distribution Under Copyright Law
Open Source Licenses
51. Copyright 2012 Bryan Cave
“I know it when I see it”
Open Source Licenses
Justice Potter Stewart
Jacobellis v. Ohio, 378 U.S. 184, 197 (1964)
(Concurring)
52. Copyright 2012 Bryan Cave
Distribution Under Copyright Law
Open Source Licenses
Internal use
by employees
Traditional
software licenses
D iD i s ts t r ir i b ub u t it i o no n
Internal subcontractors
Outside consultants
Subsidiaries
Partially-owned Affiliates
Outsourcers
Web hosting providers
Co-location providers
Leases and loans
Demos
Joint Venture “Partners”
Mergers
Acquisitions
53. Copyright 2012 Bryan Cave
What are the consequences
of a distribution?
Open Source Licenses
54. Copyright 2012 Bryan Cave
• GPLv2 covers the program licensed under GPLv2 and
“works based on the program”
• Requires works in whole or in part “derived from the Program” to be
licensed under the terms of the GPL
Example: GPLv2
Open Source Licenses
55. Copyright 2012 Bryan Cave
• Refers to a “derivative work” under applicable copyright law as a guide
• Also provides its own interpretation of what would be included as a
“work based on the program”
Example: GPLv2
Open Source Licenses
56. Copyright 2012 Bryan Cave
Many (many, many)
questions of interpretation
Open Source Licenses
57. Copyright 2012 Bryan Cave
• GPLv2 sets multiple boundaries
– Triggered by a “distribution”
– Allows modification to form a “work based on the Program”
– Requires a work that “in whole or in part contains or is derived from the
Program” to be subject to the GPL
• Does not fully define these terms
• Refers to applicable copyright law for aid in providing definitions
• Copyright law is also not well-defined as it relates to these terms
(particularly in the context of software)
Example: GPLv2
Open Source Licenses
58. Copyright 2012 Bryan Cave
• Multiple interpretations and understandings have emerged
– Free Software Foundation and other open source groups
– Open source legal community
– Very limited court decisions regarding open source
– Court decisions in other areas of copyright law
• Relatively little dispute at either end of the spectrum
• Uncertainty exists in the many variations in-between
• Cloud implementations add additional variations
• Even “accepted” interpretations are highly fact-dependent
Example: GPLv2
Open Source Licenses
59. Copyright 2012 Bryan Cave
• Copyright law gives the copyright owner power to enforce their copyright
• Issuing licenses is part of this power
• The copyright owner decides
– Whether to apply GPLv2 to their software
– How to interpret GPLv2 as applied to their software
– When and how to enforce GPLv2
• Court decisions apply (if they are available)
• Accepted interpretations and practices can carry weight
• Where the law is unclear and multiple reasonable interpretations exist, the
copyright owner has the power to decide which interpretation to adopt
Example: GPLv2
Open Source Licenses
60. Copyright 2012 Bryan Cave
What happens when a difference in
interpretation occurs?
Open Source Licenses
61. Copyright 2012 Bryan Cave
• Legally, open source is (still) all about the licenses
• Cloud computing puts the focus on different issues than traditional software
delivery models
• Distribution is an important issue, but is not the only concern
• Other traditional open source legal issues are still (very) relevant
• Interpretation of these issues requires an understanding of the “cloud”
• Focus on the core characteristics of the cloud
• Understand how those characteristics affect the interpretation of open
source licenses
• Premium (as always) on preemptive action
• Increased risks (and hassles) for unprepared companies
• Update existing open source compliance programs (before you are
required to do so)
Takeaways
Open Source in the Cloud