open source software: what are your obligations?
TRANSCRIPT
![Page 1: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/1.jpg)
1Protecode Inc. 2015
Open Source Software: What Are Your Obligations?
Thursday, April 23rd, 2015
![Page 2: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/2.jpg)
Protecode Inc. 2015 2
Agenda
Open Source Software– What is Open Source?– Licence and copyrights overview– Case studies
Open Source Software Management– Controlling the adoption of Open Source – Are we using it? – Open Source attributes. Where are they?– Software package – preapproval– Composite projects– Options – Manual versus automated
Wrap up and Q/A
Martin Callinan,Director,
Source Code Control
Andrew Katz,Managing Partner/Chief
Executive,Moorcrofts LLP
![Page 3: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/3.jpg)
Protecode Inc. 2015 3
Open Source Everywhere
These companies have dedicated OSS Teams
“Every Company Is a Software Company”
– CEO Mendix
![Page 4: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/4.jpg)
Linux dominates every sector of computing
(except desktop)http://www.zdnet.com/article/20-great-years-of-linux-and-supercom-
puters/
![Page 5: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/5.jpg)
By 2016, the vast majority of mainstream IT organisations will
use open source in mission-critical solutions.
https://www.gartner.com/doc/2822619
![Page 6: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/6.jpg)
o 44% of all code created in the world is OSS and increasing80% of newly deployed code is open source
o 31% of OSX is OSS, 75% of Android.o Stats demonstrate OSS more innovative than
proprietaryo 36% lower defects in OSS than comparable
proprietary code
http://transfersummit.com/sites/default/files/materials/rgardler/ts11daffara-notes.pdf
http://www.openforumacademy.org/library/ofa-fellows-reference-library/ofe-fellows-reference-library/Hosted%20Files/first-conference-proceedingsA4.pdf
![Page 7: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/7.jpg)
What is open source?
![Page 8: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/8.jpg)
• Source code is available
• Freedom to use (for any purpose)
• Freedom to study and modify
• Freedom to distribute (original or modifications)
![Page 9: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/9.jpg)
Open source software still has an owner, and to use
it you need a licence.
![Page 10: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/10.jpg)
Open Source Licensing
![Page 11: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/11.jpg)
• There are hundreds of different types of licence.
• They range from very simple to more complex.
• Many licences are easy to comply with
• Some licences are subject to “copyleft”
![Page 12: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/12.jpg)
• ‘Permissive’ or ‘Academic’ licences
• You can do what you want, including building the code into proprietary products.
• Compliance usually limited to incorporating disclaimers and attributions if you distribute.
• Examples: BSD, Apache
Easy compliance
![Page 13: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/13.jpg)
• ‘Reciprocal’, ‘Copyleft’, ‘Sharealike’
• If you distribute the program (as-is, or modified), you must do so under the same terms.
• You can’t incorporate it into proprietary code.
• If you breach, you’re in breach of copyright.
• e.g. GPL, Mozilla, Microsoft Public License
Difficult compliance
![Page 14: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/14.jpg)
Copyleft licences are only relevant on distribution.
But distribution may mean many things:
• Supply to customers
• Transfer to companies within the same group
• Transfer to outsourcing provider
• Use of software over a network (SaaS) (AGPL, OSL)
Distribution?
![Page 15: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/15.jpg)
Distribution in breach of licence is a breach
of copyright.
![Page 16: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/16.jpg)
Non-copyright risk issues
![Page 17: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/17.jpg)
• Patents – know your exposure, know if you need to get a licence (e.g. codecs)
• Bugs (security, in particular)
![Page 18: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/18.jpg)
Why you need to know what code you
are running.
![Page 19: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/19.jpg)
Case Studies
![Page 20: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/20.jpg)
Financial Services
• Compliance driven by regulator
• Pensions providers required to do due diligence on their service providers to assess risk of software failure
• Our client required to undertake an annual audit of code used to provide solutions to pensions providers
![Page 21: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/21.jpg)
M&A Transactions
• Open source due diligence now routine in M&A transactions
• Purchaser/investor will want comfort that the codebase is clean, and that appropriate procedures are in place
![Page 22: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/22.jpg)
Heartbleed• OpenSSL deployed by hundreds of
thousands of end-user companies for encryption in web apps and elsewhere
• Trillions of dollars of transactions depend on it
• Critical bug found
• Companies had to answer to shareholders and regulators
![Page 23: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/23.jpg)
Mitigating risk
• Ensure deep knowledge of your codebase
• Employ appropriate practices and procedures to ensure code cleanliness
• Document provenance
• Test practices and procedures - auditing
![Page 24: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/24.jpg)
Protecode Inc. 2015 24
Martin Callinan – Source Code Control Limited
Open Source Software Management
![Page 25: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/25.jpg)
Protecode Inc. 2015
OSS in Organisations
Shall we use OSS or do we know if we use OSS already?– Risk assessment
• Risk of being involved vs risk of not being involved
– Consideration -> Adoption -> Integral part of business
The most common factors affecting use of OSS in software projects– Concerns regarding intellectual property / licensing– Concerns regarding the security of the software– Service & support– Product capabilities/maturity– Difficulty of adoption / integration– Software quality – end user satisfaction– Software enhancements – innovation over time– Viability of the open source community
25
![Page 26: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/26.jpg)
Protecode Inc. 2015
Licensing Challenges of OSS Produced by large number of developers over time
– Bazaar model: policy of fast and frequent releases, release candidates, possibility of governance impairments
Questionable due diligence efforts of committers– Re-licensing efforts may not have been correctly handled
Code may: – Contain nested packages with their own set of issues– Contain code from books or community websites– Implement patents– Implement specifications that are subject to a license– Contain code generated by a tool where the output
could be a derivative of input– Contain or implement APIs that may have their own obligations
26
![Page 27: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/27.jpg)
Protecode Inc. 2015 27
Compliance is not always clear Open Source projects use open source projects
Composite projects may have multiple licenses– Project license
• A top level license, or top level document listing applicable licenses• Look for website information, LICENSE, COPYING, or README
files
– Subfolder licenses• Indicate sub-level OSS projects• Not always present
– File licenses– Exceptions: subfolder holding binaries or libraries
• Generally do not have a license document• You are on your own to determine the binary or library licenses
– Automated code scanning tools should resolve these cases
![Page 28: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/28.jpg)
Protecode Inc. 2015
License Compatibility
Licenses with unacceptable terms
Licenses with conflicting terms– Not all licenses are compatible– Example: GPL (and its varieties) are incompatible with most
other licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)
28
![Page 29: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/29.jpg)
Protecode Inc. 2015
Establishing A Baseline
Objective: Identify all 3rd party content
and identify licensing attributes
Tasks:– Inspect all source code and build
ingredients to create Bill of Materials (BoM).– Key files:
• Text files containing license text• Text files that may make reference to licenses• Any other documentation
– Determine the distribution method• Source? Binary? Deployment?
– Assess the fit with the policy
29
![Page 30: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/30.jpg)
Protecode Inc. 2015
Package Pre-Approval
Evaluate OSS before it is used
Workflow Process– Request/Assess/Approve-Reject
Information required for pre-approval– Project & Package Information
• Project name, URL, license, author(s), type, exportability, etc.
– Usage Model• Distribution model
– (binary, source, hosted, internal only, etc.)• Types of derivatives
– (Modified? Linked? Loosely coupled?)• Organization specific information
– Business unit– Business justification
• Maintenance and support
30
![Page 31: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/31.jpg)
Protecode Inc. 2015
Commercial tools are available for building and managing a code Inventory
– Establish Policies, Pre-Approve packages, Establish a baseline
– Scripted Bulk Analysis, Library Analysis, Build Analysis– Developer Assistant real-time desktop analysis
Complete scanning solution– Detect third party projects, files or snippets within a portfolio– Create a Bill of Materials (BoM) of all components– Report on licenses, copyrights, security vulnerabilities, export
control obligations, encryption content– Detect, interpret and create Software Package Data
Exchange (SPDX) files– Report on license obligations and license compatibilities– Concatenate licenses and notices for distribution with a
product– Integrate within a development lifecycle using powerful API’s
Accurate and up to date information– Driven by a reference Global IP Signatures (GIPS) database– Updated and synchronized with National Vulnerability
Database 24x7
Automated OSS Management Tools
![Page 32: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/32.jpg)
Protecode Inc. 2015
Wrap Up
If you do not use Open Source software, you will be left out– Managed adoption of Open Source software is the way to go
Compliance requires– Knowledge of what OSS packages are used
• Creating and maintaining a software Bill of Materials
– Access to OSS package, its licenses, description and notes– Scanning of the package, determination of its composite nature,
declared and hidden licenses– Ensuring the terms of the sublicenses are compatible and acceptable.– Removing any component that is not needed
Prevention works better than correction– Package pre-approval, due diligence during development, and at build
time
Managing Open Source content requires automated tools– Manual methods are expensive, inaccurate and take too long
32
![Page 33: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/33.jpg)
Protecode Inc. 2015 33
Q&A
Please type your questions into the chat box to the right
![Page 34: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/34.jpg)
Protecode Inc. 2015 34
About Moorcrofts
Firm wide focus on corporate, tech and HR law
Tech expertise across the board, such as:– Open source licensing – Software and Hardware agreements– IPR protection– Data security
Work in a range on industries from start ups through to AIM listed business, including:– Lifescience, Biotech and Parma– IT– Financial– New Media
For more information, contact Andrew Katz +44 1628 470003; [email protected]
![Page 35: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/35.jpg)
Protecode Inc. 2015
• Ease the adoption of Open Source Software
• Software source code audits• Legal risk/licence compliance• Security vulnerabilities• Operational risk
• Enable greater use of OSS across the organisations • Quality code• Secure code• Compliant code
• DevOps services
About Source Code Control Limited
![Page 36: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/36.jpg)
Protecode Inc. 2015 36
About Protecode
Global Supplier of software compliance and security vulnerability management solutions
Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
Complete Set of Solutionsfor
Managed Adoption of Open Source
![Page 37: Open Source Software: What Are Your Obligations?](https://reader030.vdocuments.mx/reader030/viewer/2022032505/55c6aac1bb61ebf25c8b47d3/html5/thumbnails/37.jpg)
Protecode Inc. 2015
• Book an individual discussion : [email protected] • Managing existing OSS projects• Planning for future OSS adoption• Code reviews
• Useful resources• Open Source Initiative
• http://opensource.org/• Free Software Foundation
• http://www.fsf.org/• BCS Open Source Specialist Group
• http://ossg.bcs.org/• For more information about Source Code Control Limited
• http://www.sourcecodecontrol.co• For more information about Moorcrofts
• http://www.moorcrofts.com/• Whitepapers, case studies and educational videos from Protecode
• http://www.protecode.com/resources/
Next Steps