diff options
Diffstat (limited to 'management/license_compliance')
| -rw-r--r-- | management/license_compliance/Makefile | 1 | ||||
| -rw-r--r-- | management/license_compliance/pres_license_compliance.tex | 12 | ||||
| -rw-r--r-- | management/license_compliance/pres_license_compliance_en.tex | 633 |
3 files changed, 646 insertions, 0 deletions
diff --git a/management/license_compliance/Makefile b/management/license_compliance/Makefile new file mode 100644 index 0000000..d792c32 --- /dev/null +++ b/management/license_compliance/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_LICENSE_COMPLIANCE) += pres_license_compliance_en.pdf diff --git a/management/license_compliance/pres_license_compliance.tex b/management/license_compliance/pres_license_compliance.tex new file mode 100644 index 0000000..dbdc97a --- /dev/null +++ b/management/license_compliance/pres_license_compliance.tex @@ -0,0 +1,12 @@ +\input{configpres} + +\title{\lq FOSS Basics\rq} +\maketitle + +\subsection{Copyright and License compliance} + +\begin{frame} +\frametitle{Copyright} +\end{frame} + +\input{tailpres} diff --git a/management/license_compliance/pres_license_compliance_en.tex b/management/license_compliance/pres_license_compliance_en.tex new file mode 100644 index 0000000..f949ddf --- /dev/null +++ b/management/license_compliance/pres_license_compliance_en.tex @@ -0,0 +1,633 @@ +\input{configpres} + +\title{\lq License compliance\rq} +\maketitle + +\begin{frame} +This training and the related materials are based on best-practice +and recommendations. This training doesn't reflect any legal advice! +No content created from Linutronix should be considered / used as legal advice. +For legal advice consult an Attorney. +\end{frame} + +\subsection{Copyright} + +\begin{frame}[fragile] +\frametitle{Copyright} +\begin{verbatim} +''...Copyright is a legal right, existing in many countries, that grants +the creator of an original work exclusive rights to determine whether, +and under what conditions, this original work may be used by others...'' +\end{verbatim} +source: https://en.wikipedia.org/wiki/Copyright +\end{frame} + +\begin{frame}[fragile] +\frametitle{The berne convention} +\begin{itemize} +\item First accepted in 1886 +\item Standardized copyright law +\item Before the berne convention copyright was specific to the different countries +\item Copyright exists from the moment when the work is done +\item No registration is required!! +\item So, Copyright is given ''automatically'' +\item As of today more than 170 parties are signees of the ''berne convention'' +\item https://copyrighthouse.org/countries-berne-convention +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Copyright: Granting permissions} +\begin{itemize} +\item Copyright gives the owner the right to control the use of his work +\item Usage needs to be explicitely granted by the copyright owner +\item The copyright owner can license the use to another party +\item So, with a software license the copyright holder grants a third party the usage of the software in a specific way +\item That's why we need to talk about licenses +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Copyright: Who can hold the copyright} +\begin{itemize} +\item Individual / Author +\item Employer +\item Organization +\end{itemize} +\end{frame} + +\subsection{Open-Source licenses} + +\begin{frame} +\frametitle{Why you have to care about licensing} +\begin{itemize} +\item Ensuring license compliance +\item Protect your intelectual property +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What is Open-Source} +Definition by the Open-Source Initiative (OSI): +\begin{itemize} +\item Free Redistribution +\item Source Code +\item Derived Works +\item Integrity of The Author's Source Code +\item No Discrimination Against Persons or Groups +\item No Discrimination Against Fields of Endeavor +\item Distribution of License +\item License Must Not Be Specific to a Product +\item License Must Not Restrict Other Software +\item License Must Be Technology-Neutral +\end{itemize} +See: https://opensource.org/osd +\end{frame} + +\begin{frame} +\frametitle{OSI approved licenses} +https://opensource.org/licenses/ +\end{frame} + +\begin{frame} +\frametitle{Copyleft: How to get it right ;-)} +\begin{itemize} +\item A common misunderstanding is, that Copyleft might be the opposite +of Copyright ;) +\item BUT...LEFT comes from: to leave, left, left +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Copyleft} +It basically means that you give someone the right to modify and +redistribute copies of a work, BUT when redistributing the original +rights need to be preserved! Preserving the rights of receiving, +modifying and redistributing is what we call ''Copyleft''. +\end{frame} + +\begin{frame} +\frametitle{Copyleft licenses / Reciprocal licenses} +Copyleft based licenses are also referred as ''reciprocal licenses'' +\end{frame} + +\begin{frame} +\frametitle{Strict and weak Copyleft} +\begin{itemize} +\item For strong Copyleft all derived works inherit the Copyleft license +\item For weak Copyleft not all derived works inherit the Copyleft license +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Protecting your intelectual property} +Now that you know the concept of Copyleft, you might realize why license +compliance is also about protecting your intelectual property. +\end{frame} + +\begin{frame} +\frametitle{Permissive licenses} +Open-Source licenses without Copyleft are usually referred as ''permissive +licenses'' +\end{frame} + +\begin{frame} +\frametitle{Overview of reciprocal and permissive licenses} +\begin{figure}[h] +\centering +\includegraphics[width=8cm]{images/license_overview.png} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{Licenses: GPLv2} +\begin{itemize} +\item Strong Copyleft +\item Code changes have to be documented +\item License and Copyright notice has to be included +\item Source-Code must be made available when re-distributing +\begin{itemize} +\item Deliver the source-code with your software / product, or: +\item Deliver a written offer which is at least valid for three years +\end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{GPL: Example for a written offer} +\begin{verbatim} +To obtain a copy of the source code +being made publicly available by FooBar, +Inc. (“FooBar”) related to software used +in this FooBar product (“Product”), you +should send your request in writing to +opensourcecompliance@foobar.com. +[...] +\end{verbatim} +Source: Open-Source compliance in the enterprise by Ibrahim Haddad +\end{frame} + +\begin{frame}[fragile] +\frametitle{Other obligations of GPL licenses} +\begin{itemize} +\item Building the code +\item Running the code +\item The user has to be able to run the modified executable! +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Licenses: AGPLv3} +\begin{itemize} +\item STRONGEST Copyleft license!! +\item Distribution also covers the use-case of services over a network!! +\item So, network use IS distribution!! +\item Code changes have to be documented +\item License and Copyright notice has to be included +\item Source-Code must be made available when re-distributing +\begin{itemize} +\item Deliver the source-code with your software / product, or: +\item Deliver a written offer which is at least valid for three years +\end{itemize} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Licenses: LGPLv2} +\begin{itemize} +\item Weak Copyleft +\item If only used as library, re-distributing the resulting program doesn't need the same license +\item BUT the library itself always needs to be re-distributed under the same license +\item Code changes have to be documented +\item License and Copyright notice has to be included +\item Source-Code must be made available when re-distributing +\begin{itemize} +\item Deliver the source-code with your software / product, or: +\item Deliver a written offer which is at least valid for three years +\end{itemize} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Licenses: (L)GPL v2 vs. v3} +\begin{itemize} +\item v3 released in 2007 +\item Patent use is covered +\item Tivoization is covered in GPLv3: ''...Installation Information for a User Product means any methods, procedures, \textbf{authorization keys}, ...'' +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Licenses: MIT} +\begin{itemize} +\item Permissive license +\item Very simple +\item It basically only requires the preservation of license and copyright notice(s) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Licenses: Apache} +\begin{itemize} +\item Permissive license +\item It basically only requires the preservation of license and copyright notice(s) +\item Code changes have to be documented +\item Express grant of patent rights from contributors +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Licenses: BSD 2-Clause License (AKA simplified BSD)} +\begin{itemize} +\item Permissive license +\item Two versions of BSD license available: 2-clause and 3-clause +\item Preservation of license and copyright notice(s) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Protecting your intelectual property ctd.} +\begin{figure}[h] +\centering +\includegraphics[width=10cm]{images/kernel_user.jpg} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{A detailed look into ''derived work''} +Be careful not only linking or copying code might result in a derived +work: +\begin{figure}[h] +\centering +\includegraphics[width=10cm]{images/derived_work.jpg} +\end{figure} +\end{frame} + +\begin{frame}[fragile] +\frametitle{So, how does that work for the Linux Kernel} +\begin{figure}[h] +\centering +\includegraphics[width=10cm]{images/kernel_user.jpg} +\end{figure} +The kernel takes a license exception for the syscall interface: +\begin{verbatim} +SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note +\end{verbatim} +\end{frame} + +\subsection{Working on / with FOSS} +\begin{frame} +\frametitle{First of all:} +\begin{itemize} +\item License decisions are NOT a developer decision +\item License decisions are NOT a decision of team leader or the group leader +\item IT'S A DECISION OF YOUR LEGAL DEPARTMENT +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Which licenses are allowed} +A process has to be established: +\begin{itemize} +\item Who is allowed to select new Open-Source components? +\item The responsible person should have a list of accepted (and by the legal department approved) licenses +\item The responsible person should know who to ask when a new license comes in +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Copyright notice: When is it needed?} +\begin{itemize} +\item When you add a new file +\item When you make \textbf{significant} changes to a file +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Copyright notice: How should it look like} +\begin{itemize} +\item You can use (c), Copyright or Copr. +\item First publication and date of last significant change needs to be stated +\item Full name of the copyright holder needs to be provided: Author, employer or organization +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Copyright notice: Examples} +\begin{verbatim} +/* + * Copyright 2019, Linutronix GmbH + */ + +/* + * (c) 1991, Linus Torvalds + */ + +/* + * Copyright 2014,2018, Jan Altenberg + */ + +/* + * Copyright 2000-2008, Linutronix GmbH + */ +\end{verbatim} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Copyright notice: Examples} +Redundancy is allowed: +\begin{verbatim} +/* + * Copyright (c) 2019, Linutronix GmbH + */ +\end{verbatim} +Statements can be combined: +\begin{verbatim} +/* + * Copyright 2013,2015-2019 Jan Altenberg + */ +\end{verbatim} +\end{frame} + +\begin{frame} +\frametitle{License reference} +There are several ways to reference the corresponding license in the source code: +\begin{itemize} +\item Standard license header +\item URL reference +\item SPDX license identifier +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{License reference: License header} +\begin{verbatim} +[...] + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; version 2. + +This program is distributed in the hope that it will be +useful, but WITHOUT ANY WARRANTY; without even the implied +warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +PURPOSE. See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software Foundation, +Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +USA. +\end{verbatim} +Source: https://spdx.org/licenses/GPL-2.0-only +\end{frame} + +\begin{frame}[fragile] +\frametitle{License reference: URL reference} +\begin{verbatim} +/* + * http://opensource.org/licenses/GPL-2.0 + */ +\end{verbatim} +\end{frame} + +\begin{frame}[fragile] +\frametitle{License reference: SPDX license identifier} +\begin{verbatim} +/* + * SPDX-License-Identifier: GPL-2.0 + */ +\end{verbatim} +\end{frame} + +\begin{frame} +\frametitle{File notice} +EVERY file should contain a copyright notice AND a License reference:\\ +copyright notice + license reference = file notice +\end{frame} + +\begin{frame} +\frametitle{The SPDX standard} +\begin{itemize} +\item http://spdx.org +\item S oftware P ackage D ata E xchange format +\item SPDX is a standard for exchanging ''bill of material information'' of software (licenses, copyright, ...) +\item Well established (industry standard!) +\item Many tools available +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{File notice: Example} +\begin{verbatim} +/* + * Copyright 2019, Linutronix GmbH + * SPDX-License-Identifier: LGPL-3.0 + */ +\end{verbatim} +\end{frame} + +\begin{frame} +\frametitle{Example of a license list} +\begin{tabular}{|c|c|c|c|c|c|} +\hline +\textbf{License} & \textbf{internal} & \textbf{Linux Kernel} & \textbf{Lib} & \textbf{Application} & \textbf{Webservice}\\ +\hline +AGPLv3 & YES & NO & NO & NO & NO\\ +\hline +GPLv2 & YES & YES & NO & NO & YES \\ +\hline +LGPLv2 & YES & YES & CHECK & CHECK & YES\\ +\hline +GPLv3 & YES & NO & NO & NO & YES\\ +\hline +\end{tabular} +\end{frame} + +\subsection{Related ressources} +\begin{frame} +\frametitle{Dejacode/licenses} +\begin{figure}[h] +\centering +\includegraphics[width=10cm]{images/dejacode_overview.png} +\end{figure} +https://enterprise.dejacode.com/licenses/ +\end{frame} + +\begin{frame} +\frametitle{Dejacode/licenses} +\begin{figure}[h] +\centering +\includegraphics[height=6cm]{images/dejacode_conditions.png} +\end{figure} +https://enterprise.dejacode.com/licenses/ +\end{frame} + +\begin{frame} +\frametitle{tldrlegal.com} +\begin{figure}[h] +\centering +\includegraphics[width=10cm]{images/tldr_legal.png} +\end{figure} +https://tldrlegal.com +\end{frame} + +\begin{frame} +\frametitle{choosealicense.com} +\begin{figure}[h] +\centering +\includegraphics[height=6cm]{images/choosealicense.png} +\end{figure} +https://chossealicense.com +\end{frame} + +\begin{frame} +\frametitle{Recommended reading} +\begin{itemize} +\item Free Linux Foundation eBook on FOSS compliance:\\ +https://www.linuxfoundation.org/blog/2018/12/new-ebook-offers-comprehensive-guide-to-open-source-compliance/\\ +\item Free Linux Foundation online seminar on FOSS compliance for developers:\\ +https://training.linuxfoundation.org/training/compliance-basics-for-developers/\\ +\end{itemize} +\end{frame} + +\subsection{Tools} +\begin{frame}[fragile] +\frametitle{Scancode} +Getting scancode: +\begin{verbatim} +git clone git://github.com/nexB/scancode-toolkit.git +\end{verbatim} +Running scancode: +\begin{verbatim} +./scancode --html results_detail.html \ +--license \ +--copyright \ +../busybox-1.30.1 +\end{verbatim} +\end{frame} + +\begin{frame} +\frametitle{Scancode} +\begin{figure}[h] +\centering +\includegraphics[height=6cm]{images/scancode_result.png} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{FOSSology} +\begin{figure}[h] +\centering +\includegraphics[height=6cm]{images/fossology.png} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{FOSSology} +\begin{figure}[h] +\centering +\includegraphics[height=4cm]{images/fossology_browser.png} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{Commercial tools} +\begin{itemize} +\item Black Duck +\item Protecode +\item FlexNet Code Insight +\item ... +\end{itemize} +\end{frame} + +\subsection{What else} + +\begin{frame} +\frametitle{Re-Distribution of a distribution} +\begin{itemize} +\item Please be also aware of trademarks +\item Distribution names are usually registered trademarks +\item You might need to re-name it or to ask for permission +\item Legal assessment from OSADL (available for members) +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Re-Distribution of a distribution} +Example Ubuntu: +\begin{verbatim} +Ubuntu: “[...] Any redistribution of modified versions of Ubuntu must +be approved, certified or provided by Canonical if you are going to +associate it with the Trademarks. Otherwise you must remove and +replace the Trademarks [...]" +\end{verbatim} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Re-Distribution of a distribution} +Example Debian: +\begin{verbatim} +"Derivative distributions must not be named Debian" +\end{verbatim} +\end{frame} + +\subsection{Establishing a compliance process} + +\begin{frame} +\frametitle{How to establish a compliance process in your company} +\begin{itemize} +\item License compliance is only one aspect in handling Open-Source +\item It's part of a Open-Source program in your company +\item Stick to existing standards if you can +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Existing standards} +\begin{figure}[h] +\centering +\includegraphics[width=6cm]{images/logo_openchain.png} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{OpenChain} +\begin{itemize} +\item http://www.openchain-project.org +\item Provides a core set of requirements for a compliance program +\item Provides training materials +\item Certification is available +\end{itemize} +\end{frame} + +\subsection{Who can help} + +\begin{frame} +\frametitle{Organisations: OSADL} +\begin{itemize} +\item Legal advice for members +\item License checklist project +\item Offers compliance audit as a service +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{OSADL License checklist} +\begin{figure}[h] +\centering +\includegraphics[width=6cm]{images/osadl_checklist.png} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{OSADL: License compatibility matrix} +\begin{figure}[h] +\centering +\includegraphics[width=6cm]{images/osadl_matrix.png} +\end{figure} +\end{frame} + + + +\input{tailpres} + |