• No results found

RISK MANAGEMENT FOR OPEN SOURCE

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "RISK MANAGEMENT FOR OPEN SOURCE"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

RISK MANAGEMENT

FOR OPEN SOURCE

Ria Farrell Schalnat

Open Source Should Not Work

(but it does anyway)

The Birth Pangs

of Open Source

January 24, 1956: Antitrust settlement. 1964: Bell Labs and MIT

collaborate on Multics (forerunner to UNIX). Summer 1982: AT&T breaks up. The Baby Bells fly

the nest. AT&T starts charging A LOT for its version of UNIX. A schism results. AT&T promotes is more stable commercial development. Berkeley continues along the academic, avant-garde and CHEAP deployment.

(2)

AT&T versus Berkeley: The Honeymoon is Over

And a little thing called

the Internet didn’t hurt

either

Open Source’s Painful Adolescence

Late 1980’s- Early 1990’s

BSD was mired in a legal quagmire that made its future uncertain, for several critical years. The Open Source Movement cried out for a new hero. Who can save us?

(3)

But even Linux

has had its

growing pains

The Legal Birth of Open Source

1979: Stallman tried to fix a Xerox printer at MIT. When Xerox wouldn’t give him the source code, he got mad … really mad.

1984: Stallman founded the Free Software Foundation and developed the GPL which gave birth to the concept of copyleft.

(4)

Walk Softly But Carry a Big Stick

Copyright

17 USC §§§§504. Infringer Liability

(1) the copyright owner's actual damages and any additional profits of the infringer; or

(2) statutory damages (not less than $750 or more than $30,000; willful infringement can increase the award to $150,000).

17 USC §§§§505. Remedies include Costs and attorney's fees

17 USC §§§§506: Criminal Penalties.

Patent Stick

Patent

35 USC §§§§271: Exclude others from making, using, and selling.

35 USC §§§§284:Increased damages available for willful infringement but not statutory damages like ©

Philosophies of

Open Source

(5)

FSF Style Open Source Definition

Source code must be distributed with the

software or otherwise made available for no more

than the cost of distribution

Anyone may redistribute the software for free,

without royalties or licensing fees to the author

Anyone may modify the software or derive other

software from it and then distribute the modified

software under the same terms.

GPL License Philosophy

Cannot use GPL code

to build proprietary products

Static versus Dynamic

Why does this make a difference?

Which program is doing the primary work

– the proprietary program or the GPL’ed one?

LGPL explicitly permits proprietary software

(6)

GPL versus BSD

The viral clause of the GPL clashed with pragmatic views of many programmers.

The BSD license was less restrictive than the GPL, in the fundamental sense that it did not require derivatives to remain free but instead allowed the creation of proprietary products from open code.

SUN’s Community Source License Philosophy

Sun Microsystems has argued that its “community source

license SCSL” would “take the advantages from each of the proprietary and open source models and eliminate the disadvantages.

The core SCSL idea is to create an open source like community among individuals and organizations who want to extend and build applications on top of a common infrastructure (e.g., JAVA).

JUST LOOKING

INTERNAL DEPLOYMENT

COMMERCIAL

Business

Models

(7)

So How Do You Make Money

On Open Source?

Technical Support

Loss Leader

Sell it then free it

Accessorize

Service Enablers

Branding

Examples of the Ancillary Business Model

Yggdrasil charged for providing a neat distribution.

Then he went one step further and combined a

proprietary GUI toolkit for use with Open Source

Code.

RedHat: Packaged Linux installations

Caldera: Married his open source and proprietary

code a bit too close for the community comfort.

The New Business Model

The world is moving more toward services and

away from software in a box models.

The source code is free through open source

and your clients will pay you to warrant it,

maintain it, document it, etc.

(8)

How do you differentiate yourself?

Trademark and branding

becoming more important

in the world of Open Source

Positioning your Open Source Project for Purchase

Make sure you get

contributor agreements and

copyright assignments from

any contributors to your

open source codebase.

Scrub the code.

Don’t just take the

contributor’s word for it.

(9)

The Price of Knowledge

Newspaper: $5

Nieman Marcus Cookie Recipe: $250 Microsoft Office Suite: $400

There are some things money can’t buy … Open Source Code: Priceless (except for

all those fine print conditions that might get you depending on the license agreement).

The Coldstone Creamery Model

On the surface, Open Source seems like

Baskin Robbins with 31 flavors. OSI (Open Source Initiative) has actually

approved over 60 licenses. And sometimes you get dual licenses

so make sure you know which one you have:

http://www.oracle.com/technology/software/ products/berkeley-db/htdocs/licensing.html

(10)

Managing the Risk

Types of Risk

Security Risks

Quality Risks

Infringement Risks

(11)

Security - Whose Eyes Are on the Code?

Question posed by ADTI: What if the Federal Aviation Agency were to develop an application to control 747 flight patterns from a widely distributed GPL open source code.

Just How Secure Is It?

Any major project today has millions of lines of code!!!!!!!!!!!

Sensitive government programs do not have to be distributed and therefore don’t have to trigger publication requirements. Government can add proprietary security

mechanisms as needed.

(12)

Managing Quality Risk

Who has control?

Forking

How strong is the community around it?

Warranties

Support

Who is in control?

Hierarchical Control (BSD)

Leadership Baton (Perl)

Committee Vote (Apache)

Fun with Forks

The right to fork per se is not at issue.

What causes contention is the issue of legitimacy.

It is a question of who can credibly and defensibly

choose to fork the code, and under what conditions.

(13)

Meritocracy

“Here’s my standing on keping control: I won’t. The

only control I’ve effectively been keeping on Linux is

that I know it better than anybody else.”

- Linus Torvalds (LINUX creator)

Strategies

Look for an active community – if it is active then you have more eyeballs and a more active meritocracy. No warranties – how much risk/liability are you

comfortable with? Use CAPS on your level of liability with downstream clients if you can get them. For big projects, you can outsource the warranties. Remember – you get what you pay for in Open Source!

(14)

We Have a Problem, Houston

Code/Product is about to

ship. You discover that

open source code has

contaminated your

proprietary codebase.

If you release, you are

#$#@$@. If you don’t

release, you are #$#@$@.

Changing the License

Generally difficult and may be prohibited if the new license will “break” the philosophy or goals of the original license. There are some sanctioned exceptions

AfferoGPL

LGPL GPL

Otherwise, you must ask the permission of not just your licensor but the entire chain back to the original distributor. Clean room development and re-release.

Making an Open Source Plan

a.k.a. Managing Your IP Risks

(15)

Managing IP Risk 1

How are you going to use the open source code?

Which license applies?

What requirements does the license impose?

(attribution, etc.)

Who owns the code?

Managing IP Risk 2

Contributors

Mergers & Acquisitions

Managing IP Risk 3

Remember that if you are acquiring a foreign target that you should determine whose laws are going to rule in the event of a dispute.

(16)

Managing IP Risk 4

Do you specify projects via specific websites

or do you let people Google for open source projects? How do you know that the license is the legitimate

license?

Once a project is in – how do you monitor it and maintain it? Where are you going to use it (servers, CDs for distribution as a product in stores, etc.) How do you deal with new versions of the software?

Managing IP Risk 5

How do you make sure that internal downstream

use is aware of open source restrictions so that you

don’t accidentally run into an external distriubtion?

Approval Process

Audit

Third Party Tools to Scrub Code

Free

www.olex.openlogic.com Might be a good starting point but,

generally, in life you get what you pay for. The scrubber is only as good as its database

of open source code which is constantly growing and changing.

Expensive (used by Sun Microsystems and Cisco)

Blackduck

Palomino

Build your own scrubber

IBM doesn’t trust anyone but itself to vet its code.

YOU CANNOT SCRUB FOR PATENTS

(17)

The Red Hat Case

Firestar, which Firestar owned a patent to “Object Model Mapping and Runtime Engine for Employing Relational Database with Object Oriented Software,” sued Red Hat and alleged that the Hibernate program infringed the patent. On June 11, 2008, the parties announced their unorthodox

settlement: “The covered products include all software distributed under Red Hat's brands, as well as upstream predecessor versions. The settlement also protects derivative works of, or combination products using, the covered products from any patent claim based in any respect on the covered products.”

Jumping Into the Pool

Jumping Into the Pool

What are Patent Pools

Fairy Godmothers or Future Trolls?

Motivation to join may range from altruism

to access to the patents in the pool to a share

of the overall royalty stream.

http://www.uspto.gov/web/offices/pac/dapp/opla/pat

entpool.pdf

(18)

Wuxi Multimedia

3C Patent Pool for DVD technical standards (Philips, Sony, Pioneer)

Pool members must grant licenses to “essential” patents for DVD-Video or DVD-ROM on a non-exclusive basis. Requires licensees to grant back to the licensors any

essential patents they own.

Wuxi sued 3C members in 2004 for antitrust violations because 3C allegedly charged higher licensing rate to Chinese manufacturers.

The suit was dismissed for failure to state a claim.

Antitrust

U.S. DEP’T OF JUSTICE & FED. TRADE COMM’N, ANTITRUST GUIDELINES FOR THE LICENSING OF INTELLECTUAL PROPERTY (1995) ("IP Guidelines"),

reprinted at http://www.usdoj.gov/atr/public/guidelines/ipguide.htm.

Open Source Licenses in Plain English

(or at least as plain as a lawyer can make them!!!!!)

(CAVEAT: These are just some highlights – you need to read the whole thing to fully interpret your obligations.)

(19)

Some Ground Rules

Many licenses require that any re-distributions include the source, modified source, provide the appropriate notices (some are quite specific re the language and the publication method), a change file, and provide a copy of the applicable license.

Many licenses impose an obligation on the

Distributor/Licensor to also license any IPR they have in the modified code (patent, copyright, trade secret).

Berkeley – BSD Style Licenses

Redistribution (original or modified / source or binary) and use are permitted provided:

Include © notice, license conditions and disclaimer. The name of the author may not be used to endorse or promote

products derived from this software without specific written permission.

Traditional Disclaimer of Warranty - Software provided AS IS.

Mozilla 1.1

Commercial Use means distribution or otherwise making the Covered Code availableto a third party.

Covered Code means the Original Code or Modifications or combinations or portions.

Larger Work means a work which combines Covered Code or portions thereof with code not governed by the terms of this License (See, Sections 3.7 & 5)

Include a “LEGAL” file describing any third party IP rights to code or implementation of APIs. Ongoing duty. Contributor represents that code is original and that they have sufficient rights to grant (Section 3.4)

If you sue a Participant (Initial Developer or Contributor) for patent infringement, this License shall terminate upon 60 days notice unless you (see, Section 8.2):

Agree in writing to pay a royalty for past and future use or

(20)

Netscape 1.1

Incorporates Mozilla 1.1 + extra.

Licensor’s Branded Code is excepted from this License even if it intersects with Covered Code.

Licensor may be contractually limited from providing 3rd party code in the Covered Code. 3rd Party Code may be integrated into the Covered Code without triggering this License.

Licensor can include Covered Code in other Licensor products for 2 years before the provisions of this License are triggered.

GNU General Public License - Version 2 – June 1991

Preamble: Freedom means libre not gratis. Think free speech not free beer. Picture of Beer.

0. License applies to any program with the GPL Notice. Activities other than copying, distribution, and modification are not covered by this License. The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For FSF software, write to the FSF which may make an exception for this. Decision may will be guided by preserving free status of all derivatives and the sharing/reuse of software generally.

Affero (AGPLv1)

The GNU GPL does an excellent job of protecting

freedoms for users and developers, but there are

questions about the applicability of the license for

software that is run over a network. This is based

on GNU GPL except for section 2(d).

(21)

GNU Lesser General Public LicenseVersion 2.1, February 1999 Preamble: Applies to specially designated software packages –

typically FSF libraries and those who use this license. Any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. This license permits linking certain libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two (according to FSF) is a derivative work of the original library. The ordinary GPL therefore permits such linking only if the entire combination fits its criteria of freedom.

5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a “work that uses the Library”. Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a”work that uses the Library” with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a “work that uses the library”. The executable is therefore coverred by this License.

GNU General Public License — Version 3

Section 3: No covered work shall be …part of a technological measure …. fulfilling [legal copyright] obligations.

Section 8: Allows cure prior to termination and reinstatement – kinder and gentler than GPLv2.

Section 11: Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor’s essential claims to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.

No discriminatory license deals.

Questions

Ria Farrell Schalnat

Patent Attorney & Counsel President of CincyIP 2200 PNC Center 201 East Fifth Street Cincinnati, OH 45202-4182 (513) 651-6426 (513) 651-6981

[email protected] www.frostbrowntodd.com

(22)

Sources

The Success of Open Source – Steven Weber

Law Seminars International – Open Source

Software – June 9, 2008

Computer Software Agreements by Quitmeyer,

Ridley, and Matuszeski

Computer Contracts – Roditti

Various websites associated with Open Source

Licenses

References

Download now ( PDF - 22 Page - 2.27 MB )

Related documents

Johnson Controls Inc.

The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify

Open Source Used In Cisco Digital Media Player 4310 Release 5.4.1

The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and

Minor corrective content service pack to address customer and software issues. * This release is no longer available.

Certain portions of the product ("Open Source Components") are licensed under open source license agreements that require Avaya to make the source code for such Open

NETGEAR Mingle Mobile Hotspot. User Guide

The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify

Freelance Product Catalog Version m3/h 92.0 m3/h 81.6 % 7.23 MW 44.6 % 45.0 % 50.7 m3/h 50.0 m3/h 7.2 % Auto. Auto m3/h 250.

AC 800F Controller, redundant Profibus, redundant S800 I/O, redundant S700 I/O S900 I/O, redundant S700 Profibus remote I/O Foundation Fieldbus Profibus AC 800F Controller Drives

Base PMC

If a PMC axis is to be used as a spindle axis, then the axis number must be specified in the variable spindle_pmc_axis (axis_number + 1).. For the software operator’s panel,

NexWave. User s Manual. Zynex Medical, Inc Maroon Circle Englewood, CO USA. Phone: Fax:

Place the electrodes with the RED and BLACK ends of the lead wires according to pattern depicted on figure below. Using both channels and crisscrossing the electrodes

CTERA Agent for Windows

The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify