Open Source Software: What Are Your Obligations?

1. Protecode Inc. 2015 1
Open Source Software:
What Are Your Obligations?
Thursday, April 23rd, 2015

2. Protecode Inc. 2015
Agenda
 Open Source Software
– What is Open Source?
– Licence and copyrights overview
– Case studies
 Open Source Software Management
– Controlling the adoption of Open Source – Are we using it?
– Open Source attributes. Where are they?
– Software package – preapproval
– Composite projects
– Options – Manual versus automated
 Wrap up and Q/A
2
Martin Callinan,
Director,
Source Code Control
Andrew Katz,
Managing Partner/Chief
Executive,
Moorcrofts LLP

3. Protecode Inc. 2015
Open Source Everywhere
These companies have dedicated OSS Teams
3
“Every Company Is a
Software Company”
– CEO Mendix

4. Linux dominates every
sector of computing
(except desktop)
http://www.zdnet.com/article/20-great-years-of-linux-and-supercomputers/

5. By 2016, the vast majority of
mainstream IT organisations will use
open source in mission-critical
solutions.
https://www.gartner.com/doc/2822619

6. o 44% of all code created in the world is OSS and
increasing
80% of newly deployed code is open source
o 31% of OSX is OSS, 75% of Android.
o Stats demonstrate OSS more innovative than
proprietary
o 36% lower defects in OSS than comparable
proprietary code
http://transfersummit.com/sites/default/files/materials/rgardler/ts11daffara-notes.pdf
http://www.openforumacademy.org/library/ofa-fellows-reference-library/ofe-fellows-reference-
library/Hosted%20Files/first-conference-proceedingsA4.pdf

7. What is open source?

8. • Source code is available
• Freedom to use (for any purpose)
• Freedom to study and modify
• Freedom to distribute (original or modifications)

9. Open source software
still has an owner, and to
use it you need a licence.

10. Open Source
Licensing

11. • There are hundreds of different types of licence.
• They range from very simple to more complex.
• Many licences are easy to comply with
• Some licences are subject to “copyleft”

12. • ‘Permissive’ or ‘Academic’ licences
• You can do what you want, including building the
code into proprietary products.
• Compliance usually limited to incorporating
disclaimers and attributions if you distribute.
• Examples: BSD, Apache
Easy compliance

13. • ‘Reciprocal’, ‘Copyleft’, ‘Sharealike’
• If you distribute the program (as-is, or modified),
you must do so under the same terms.
• You can’t incorporate it into proprietary code.
• If you breach, you’re in breach of copyright.
• e.g. GPL, Mozilla, Microsoft Public License
Difficult compliance

14. Copyleft licences are only relevant on distribution.
But distribution may mean many things:
• Supply to customers
• Transfer to companies within the same group
• Transfer to outsourcing provider
• Use of software over a network (SaaS) (AGPL, OSL)
Distribution?

15. Distribution in breach of
licence is a breach of
copyright.

16. Non-copyright risk
issues

17. • Patents – know your exposure, know if you need
to get a licence (e.g. codecs)
• Bugs (security, in particular)

18. Why you need to know
what code you are
running.

19. Case Studies

20. Financial Services
• Compliance driven by regulator
• Pensions providers required to do due diligence
on their service providers to assess risk of
software failure
• Our client required to undertake an annual audit
of code used to provide solutions to pensions
providers

21. M&A Transactions
• Open source due diligence now routine in M&A
transactions
• Purchaser/investor will want comfort that the
codebase is clean, and that appropriate
procedures are in place

22. Heartbleed
• OpenSSL deployed by hundreds of thousands of
end-user companies for encryption in web apps
and elsewhere
• Trillions of dollars of transactions depend on it
• Critical bug found
• Companies had to answer to shareholders and
regulators

23. Mitigating risk
• Ensure deep knowledge of your codebase
• Employ appropriate practices and procedures to
ensure code cleanliness
• Document provenance
• Test practices and procedures - auditing

24. Protecode Inc. 2015 24
Martin Callinan – Source Code Control Limited
Open Source Software Management

25. Protecode Inc. 2015
OSS in Organisations
 Shall we use OSS or do we know if we use OSS already?
– Risk assessment
• Risk of being involved vs risk of not being involved
– Consideration -> Adoption -> Integral part of business
 The most common factors affecting use of OSS in
software projects
– Concerns regarding intellectual property / licensing
– Concerns regarding the security of the software
– Service & support
– Product capabilities/maturity
– Difficulty of adoption / integration
– Software quality – end user satisfaction
– Software enhancements – innovation over time
– Viability of the open source community
25

26. Protecode Inc. 2015
Licensing Challenges of OSS
 Produced by large number of developers over time
– Bazaar model: policy of fast and frequent releases, release
candidates, possibility of governance impairments
 Questionable due diligence efforts of committers
– Re-licensing efforts may not have been correctly handled
 Code may:
– Contain nested packages with their own set of issues
– Contain code from books or community websites
– Implement patents
– Implement specifications that are subject to a license
– Contain code generated by a tool where the output
could be a derivative of input
– Contain or implement APIs that may have their own obligations
26

27. Protecode Inc. 2015
Compliance is not always clear
 Open Source projects use open source projects
 Composite projects may have multiple licenses
– Project license
• A top level license, or top level document listing applicable licenses
• Look for website information, LICENSE, COPYING, or README
files
– Subfolder licenses
• Indicate sub-level OSS projects
• Not always present
– File licenses
– Exceptions: subfolder holding binaries or libraries
• Generally do not have a license document
• You are on your own to determine the binary or library licenses
– Automated code scanning tools should resolve these cases
27

28. Protecode Inc. 2015
License Compatibility
 Licenses with unacceptable terms
 Licenses with conflicting terms
– Not all licenses are compatible
– Example: GPL (and its varieties) are incompatible with most
other licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)
28

29. Protecode Inc. 2015
Establishing A Baseline
 Objective: Identify all 3rd party content
and identify licensing attributes
 Tasks:
– Inspect all source code and build
ingredients to create Bill of Materials (BoM).
– Key files:
• Text files containing license text
• Text files that may make reference to
licenses
• Any other documentation
– Determine the distribution method
• Source? Binary? Deployment?
– Assess the fit with the policy
29

30. Protecode Inc. 2015
Package Pre-Approval
 Evaluate OSS before it is used
 Workflow Process
– Request/Assess/Approve-Reject
 Information required for pre-approval
– Project & Package Information
• Project name, URL, license, author(s),
type, exportability, etc.
– Usage Model
• Distribution model
– (binary, source, hosted, internal only, etc.)
• Types of derivatives
– (Modified? Linked? Loosely coupled?)
• Organization specific information
– Business unit
– Business justification
• Maintenance and support
30

31. Protecode Inc. 2015
 Commercial tools are available for building and
managing a code Inventory
– Establish Policies, Pre-Approve packages, Establish a
baseline
– Scripted Bulk Analysis, Library Analysis, Build Analysis
– Developer Assistant real-time desktop analysis
 Complete scanning solution
– Detect third party projects, files or snippets within a portfolio
– Create a Bill of Materials (BoM) of all components
– Report on licenses, copyrights, security vulnerabilities, export
control obligations, encryption content
– Detect, interpret and create Software Package Data Exchange
(SPDX) files
– Report on license obligations and license compatibilities
– Concatenate licenses and notices for distribution with a
product
– Integrate within a development lifecycle using powerful API’s
 Accurate and up to date information
– Driven by a reference Global IP Signatures (GIPS) database
– Updated and synchronized with National Vulnerability
Database 24x7
Automated OSS Management Tools

32. Protecode Inc. 2015
Wrap Up
 If you do not use Open Source software, you will be left out
– Managed adoption of Open Source software is the way to go
 Compliance requires
– Knowledge of what OSS packages are used
• Creating and maintaining a software Bill of Materials
– Access to OSS package, its licenses, description and notes
– Scanning of the package, determination of its composite nature,
declared and hidden licenses
– Ensuring the terms of the sublicenses are compatible and acceptable.
– Removing any component that is not needed
 Prevention works better than correction
– Package pre-approval, due diligence during development, and at build
time
 Managing Open Source content requires automated tools
– Manual methods are expensive, inaccurate and take too long
32

33. Protecode Inc. 2015
Q&A
Please type your questions into the chat box to the right
33

34. Protecode Inc. 2015
About Moorcrofts
 Firm wide focus on corporate, tech and HR law
 Tech expertise across the board, such as:
– Open source licensing
– Software and Hardware agreements
– IPR protection
– Data security
 Work in a range on industries from start ups through to
AIM listed business, including:
– Lifescience, Biotech and Parma
– IT
– Financial
– New Media
 For more information, contact Andrew Katz +44 1628
470003; andrew.katz@moorcrofts.com
34

35. Protecode Inc. 2015
• Ease the adoption of Open Source Software
• Software source code audits
• Legal risk/licence compliance
• Security vulnerabilities
• Operational risk
• Enable greater use of OSS across the organisations
• Quality code
• Secure code
• Compliant code
• DevOps services
About Source Code Control Limited

36. Protecode Inc. 2015
About Protecode
Global Supplier of software compliance and security vulnerability
management solutions
Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
36
Complete Set of Solutions
for
Managed Adoption of Open Source

37. Protecode Inc. 2015
• Book an individual discussion : source@sourcecodecontol.co
• Managing existing OSS projects
• Planning for future OSS adoption
• Code reviews
• Useful resources
• Open Source Initiative
• http://opensource.org/
• Free Software Foundation
• http://www.fsf.org/
• BCS Open Source Specialist Group
• http://ossg.bcs.org/
• For more information about Source Code Control Limited
• http://www.sourcecodecontrol.co
• For more information about Moorcrofts
• http://www.moorcrofts.com/
• Whitepapers, case studies and educational videos from Protecode
• http://www.protecode.com/resources/
Next Steps

38. Protecode Inc. 2015 38
info@protecode.com
www.protecode.com