\input{configpres} \title{\lq License compliance\rq} \maketitle \begin{frame} This training and the related materials are based on best-practice and recommendations. This training doesn't reflect any legal advice! No content created from Linutronix should be considered / used as legal advice. For legal advice consult an Attorney. \end{frame} \subsection{Copyright} \begin{frame}[fragile] \frametitle{Copyright} \begin{verbatim} ''...Copyright is a legal right, existing in many countries, that grants the creator of an original work exclusive rights to determine whether, and under what conditions, this original work may be used by others...'' \end{verbatim} source: https://en.wikipedia.org/wiki/Copyright \end{frame} \begin{frame}[fragile] \frametitle{The berne convention} \begin{itemize} \item First accepted in 1886 \item Standardized copyright law \item Before the berne convention copyright was specific to the different countries \item Copyright exists from the moment when the work is done \item No registration is required!! \item So, Copyright is given ''automatically'' \item As of today more than 170 parties are signees of the ''berne convention'' \item https://copyrighthouse.org/countries-berne-convention \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{Copyright: Granting permissions} \begin{itemize} \item Copyright gives the owner the right to control the use of his work \item Usage needs to be explicitely granted by the copyright owner \item The copyright owner can license the use to another party \item So, with a software license the copyright holder grants a third party the usage of the software in a specific way \item That's why we need to talk about licenses \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{Copyright: Who can hold the copyright} \begin{itemize} \item Individual / Author \item Employer \item Organization \end{itemize} \end{frame} \subsection{Open-Source licenses} \begin{frame} \frametitle{Why you have to care about licensing} \begin{itemize} \item Ensuring license compliance \item Protect your intelectual property \end{itemize} \end{frame} \begin{frame} \frametitle{What is Open-Source} Definition by the Open-Source Initiative (OSI): \begin{itemize} \item Free Redistribution \item Source Code \item Derived Works \item Integrity of The Author's Source Code \item No Discrimination Against Persons or Groups \item No Discrimination Against Fields of Endeavor \item Distribution of License \item License Must Not Be Specific to a Product \item License Must Not Restrict Other Software \item License Must Be Technology-Neutral \end{itemize} See: https://opensource.org/osd \end{frame} \begin{frame} \frametitle{OSI approved licenses} https://opensource.org/licenses/ \end{frame} \begin{frame} \frametitle{Copyleft: How to get it right ;-)} \begin{itemize} \item A common misunderstanding is, that Copyleft might be the opposite of Copyright ;) \item BUT...LEFT comes from: to leave, left, left \end{itemize} \end{frame} \begin{frame} \frametitle{Copyleft} It basically means that you give someone the right to modify and redistribute copies of a work, BUT when redistributing the original rights need to be preserved! Preserving the rights of receiving, modifying and redistributing is what we call ''Copyleft''. \end{frame} \begin{frame} \frametitle{Copyleft licenses / Reciprocal licenses} Copyleft based licenses are also referred as ''reciprocal licenses'' \end{frame} \begin{frame} \frametitle{Strict and weak Copyleft} \begin{itemize} \item For strong Copyleft all derived works inherit the Copyleft license \item For weak Copyleft not all derived works inherit the Copyleft license \end{itemize} \end{frame} \begin{frame} \frametitle{Protecting your intelectual property} Now that you know the concept of Copyleft, you might realize why license compliance is also about protecting your intelectual property. \end{frame} \begin{frame} \frametitle{Permissive licenses} Open-Source licenses without Copyleft are usually referred as ''permissive licenses'' \end{frame} \begin{frame} \frametitle{Overview of reciprocal and permissive licenses} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/license_overview.png} \end{figure} \end{frame} \begin{frame} \frametitle{Licenses: GPLv2} \begin{itemize} \item Strong Copyleft \item Code changes have to be documented \item License and Copyright notice has to be included \item Source-Code must be made available when re-distributing \begin{itemize} \item Deliver the source-code with your software / product, or: \item Deliver a written offer which is at least valid for three years \end{itemize} \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{GPL: Example for a written offer} \begin{verbatim} To obtain a copy of the source code being made publicly available by FooBar, Inc. (“FooBar”) related to software used in this FooBar product (“Product”), you should send your request in writing to opensourcecompliance@foobar.com. [...] \end{verbatim} Source: Open-Source compliance in the enterprise by Ibrahim Haddad \end{frame} \begin{frame}[fragile] \frametitle{Other obligations of GPL licenses} \begin{itemize} \item Building the code \item Running the code \item The user has to be able to run the modified executable! \end{itemize} \end{frame} \begin{frame} \frametitle{Licenses: AGPLv3} \begin{itemize} \item STRONGEST Copyleft license!! \item Distribution also covers the use-case of services over a network!! \item So, network use IS distribution!! \item Code changes have to be documented \item License and Copyright notice has to be included \item Source-Code must be made available when re-distributing \begin{itemize} \item Deliver the source-code with your software / product, or: \item Deliver a written offer which is at least valid for three years \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Licenses: LGPLv2} \begin{itemize} \item Weak Copyleft \item If only used as library, re-distributing the resulting program doesn't need the same license \item BUT the library itself always needs to be re-distributed under the same license \item Code changes have to be documented \item License and Copyright notice has to be included \item Source-Code must be made available when re-distributing \begin{itemize} \item Deliver the source-code with your software / product, or: \item Deliver a written offer which is at least valid for three years \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Licenses: (L)GPL v2 vs. v3} \begin{itemize} \item v3 released in 2007 \item Patent use is covered \item Tivoization is covered in GPLv3: ''...Installation Information for a User Product means any methods, procedures, \textbf{authorization keys}, ...'' \end{itemize} \end{frame} \begin{frame} \frametitle{Licenses: MIT} \begin{itemize} \item Permissive license \item Very simple \item It basically only requires the preservation of license and copyright notice(s) \end{itemize} \end{frame} \begin{frame} \frametitle{Licenses: Apache} \begin{itemize} \item Permissive license \item It basically only requires the preservation of license and copyright notice(s) \item Code changes have to be documented \item Express grant of patent rights from contributors \end{itemize} \end{frame} \begin{frame} \frametitle{Licenses: BSD 2-Clause License (AKA simplified BSD)} \begin{itemize} \item Permissive license \item Two versions of BSD license available: 2-clause and 3-clause \item Preservation of license and copyright notice(s) \end{itemize} \end{frame} \begin{frame} \frametitle{Protecting your intelectual property ctd.} \begin{figure}[h] \centering \includegraphics[width=10cm]{images/kernel_user.jpg} \end{figure} \end{frame} \begin{frame} \frametitle{A detailed look into ''derived work''} Be careful not only linking or copying code might result in a derived work: \begin{figure}[h] \centering \includegraphics[width=10cm]{images/derived_work.jpg} \end{figure} \end{frame} \begin{frame}[fragile] \frametitle{So, how does that work for the Linux Kernel} \begin{figure}[h] \centering \includegraphics[width=10cm]{images/kernel_user.jpg} \end{figure} The kernel takes a license exception for the syscall interface: \begin{verbatim} SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note \end{verbatim} \end{frame} \subsection{Working on / with FOSS} \begin{frame} \frametitle{First of all:} \begin{itemize} \item License decisions are NOT a developer decision \item License decisions are NOT a decision of team leader or the group leader \item IT'S A DECISION OF YOUR LEGAL DEPARTMENT \end{itemize} \end{frame} \begin{frame} \frametitle{Which licenses are allowed} A process has to be established: \begin{itemize} \item Who is allowed to select new Open-Source components? \item The responsible person should have a list of accepted (and by the legal department approved) licenses \item The responsible person should know who to ask when a new license comes in \end{itemize} \end{frame} \begin{frame} \frametitle{Copyright notice: When is it needed?} \begin{itemize} \item When you add a new file \item When you make \textbf{significant} changes to a file \end{itemize} \end{frame} \begin{frame} \frametitle{Copyright notice: How should it look like} \begin{itemize} \item You can use (c), Copyright or Copr. \item First publication and date of last significant change needs to be stated \item Full name of the copyright holder needs to be provided: Author, employer or organization \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{Copyright notice: Examples} \begin{verbatim} /* * Copyright 2019, Linutronix GmbH */ /* * (c) 1991, Linus Torvalds */ /* * Copyright 2014,2018, Jan Altenberg */ /* * Copyright 2000-2008, Linutronix GmbH */ \end{verbatim} \end{frame} \begin{frame}[fragile] \frametitle{Copyright notice: Examples} Redundancy is allowed: \begin{verbatim} /* * Copyright (c) 2019, Linutronix GmbH */ \end{verbatim} Statements can be combined: \begin{verbatim} /* * Copyright 2013,2015-2019 Jan Altenberg */ \end{verbatim} \end{frame} \begin{frame} \frametitle{License reference} There are several ways to reference the corresponding license in the source code: \begin{itemize} \item Standard license header \item URL reference \item SPDX license identifier \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{License reference: License header} \begin{verbatim} [...] This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. \end{verbatim} Source: https://spdx.org/licenses/GPL-2.0-only \end{frame} \begin{frame}[fragile] \frametitle{License reference: URL reference} \begin{verbatim} /* * http://opensource.org/licenses/GPL-2.0 */ \end{verbatim} \end{frame} \begin{frame}[fragile] \frametitle{License reference: SPDX license identifier} \begin{verbatim} /* * SPDX-License-Identifier: GPL-2.0 */ \end{verbatim} \end{frame} \begin{frame} \frametitle{File notice} EVERY file should contain a copyright notice AND a License reference:\\ copyright notice + license reference = file notice \end{frame} \begin{frame} \frametitle{The SPDX standard} \begin{itemize} \item http://spdx.org \item S oftware P ackage D ata E xchange format \item SPDX is a standard for exchanging ''bill of material information'' of software (licenses, copyright, ...) \item Well established (industry standard!) \item Many tools available \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{File notice: Example} \begin{verbatim} /* * Copyright 2019, Linutronix GmbH * SPDX-License-Identifier: LGPL-3.0 */ \end{verbatim} \end{frame} \begin{frame} \frametitle{Example of a license list} \begin{tabular}{|c|c|c|c|c|c|} \hline \textbf{License} & \textbf{internal} & \textbf{Linux Kernel} & \textbf{Lib} & \textbf{Application} & \textbf{Webservice}\\ \hline AGPLv3 & YES & NO & NO & NO & NO\\ \hline GPLv2 & YES & YES & NO & NO & YES \\ \hline LGPLv2 & YES & YES & CHECK & CHECK & YES\\ \hline GPLv3 & YES & NO & NO & NO & YES\\ \hline \end{tabular} \end{frame} \subsection{Related ressources} \begin{frame} \frametitle{Dejacode/licenses} \begin{figure}[h] \centering \includegraphics[width=10cm]{images/dejacode_overview.png} \end{figure} https://enterprise.dejacode.com/licenses/ \end{frame} \begin{frame} \frametitle{Dejacode/licenses} \begin{figure}[h] \centering \includegraphics[height=6cm]{images/dejacode_conditions.png} \end{figure} https://enterprise.dejacode.com/licenses/ \end{frame} \begin{frame} \frametitle{tldrlegal.com} \begin{figure}[h] \centering \includegraphics[width=10cm]{images/tldr_legal.png} \end{figure} https://tldrlegal.com \end{frame} \begin{frame} \frametitle{choosealicense.com} \begin{figure}[h] \centering \includegraphics[height=6cm]{images/choosealicense.png} \end{figure} https://chossealicense.com \end{frame} \begin{frame} \frametitle{Recommended reading} \begin{itemize} \item Free Linux Foundation eBook on FOSS compliance:\\ https://www.linuxfoundation.org/blog/2018/12/new-ebook-offers-comprehensive-guide-to-open-source-compliance/\\ \item Free Linux Foundation online seminar on FOSS compliance for developers:\\ https://training.linuxfoundation.org/training/compliance-basics-for-developers/\\ \end{itemize} \end{frame} \subsection{Tools} \begin{frame}[fragile] \frametitle{Scancode} Getting scancode: \begin{verbatim} git clone git://github.com/nexB/scancode-toolkit.git \end{verbatim} Running scancode: \begin{verbatim} ./scancode --html results_detail.html \ --license \ --copyright \ ../busybox-1.30.1 \end{verbatim} \end{frame} \begin{frame} \frametitle{Scancode} \begin{figure}[h] \centering \includegraphics[height=6cm]{images/scancode_result.png} \end{figure} \end{frame} \begin{frame} \frametitle{FOSSology} \begin{figure}[h] \centering \includegraphics[height=6cm]{images/fossology.png} \end{figure} \end{frame} \begin{frame} \frametitle{FOSSology} \begin{figure}[h] \centering \includegraphics[height=4cm]{images/fossology_browser.png} \end{figure} \end{frame} \begin{frame} \frametitle{Commercial tools} \begin{itemize} \item Black Duck \item Protecode \item FlexNet Code Insight \item ... \end{itemize} \end{frame} \subsection{What else} \begin{frame} \frametitle{Re-Distribution of a distribution} \begin{itemize} \item Please be also aware of trademarks \item Distribution names are usually registered trademarks \item You might need to re-name it or to ask for permission \item Legal assessment from OSADL (available for members) \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{Re-Distribution of a distribution} Example Ubuntu: \begin{verbatim} Ubuntu: “[...] Any redistribution of modified versions of Ubuntu must be approved, certified or provided by Canonical if you are going to associate it with the Trademarks. Otherwise you must remove and replace the Trademarks [...]" \end{verbatim} \end{frame} \begin{frame}[fragile] \frametitle{Re-Distribution of a distribution} Example Debian: \begin{verbatim} "Derivative distributions must not be named Debian" \end{verbatim} \end{frame} \subsection{Establishing a compliance process} \begin{frame} \frametitle{How to establish a compliance process in your company} \begin{itemize} \item License compliance is only one aspect in handling Open-Source \item It's part of a Open-Source program in your company \item Stick to existing standards if you can \end{itemize} \end{frame} \begin{frame} \frametitle{Existing standards} \begin{figure}[h] \centering \includegraphics[width=6cm]{images/logo_openchain.png} \end{figure} \end{frame} \begin{frame} \frametitle{OpenChain} \begin{itemize} \item http://www.openchain-project.org \item Provides a core set of requirements for a compliance program \item Provides training materials \item Certification is available \end{itemize} \end{frame} \subsection{Who can help} \begin{frame} \frametitle{Organisations: OSADL} \begin{itemize} \item Legal advice for members \item License checklist project \item Offers compliance audit as a service \end{itemize} \end{frame} \begin{frame} \frametitle{OSADL License checklist} \begin{figure}[h] \centering \includegraphics[width=6cm]{images/osadl_checklist.png} \end{figure} \end{frame} \begin{frame} \frametitle{OSADL: License compatibility matrix} \begin{figure}[h] \centering \includegraphics[width=6cm]{images/osadl_matrix.png} \end{figure} \end{frame} \input{tailpres}