Contenu connexe Plus de Black Duck by Synopsys (20) Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues1. Managing Android and the
Complexity Inside:
Understanding the Open Source License
and Compliance Issues
Peter Vescuso
Black Duck Software
2. Agenda
OSS in Mobile Trends
Application Developers
– Basics of OSS licenses
– License considerations
– Resources
Device Manufacturers
– Issues/Complexity/Supply chain
– What’ Inside Gingerbread
– Best Practices
Summary
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 2
3. Open Source Drives Mobile Innovation
New Mobile OSS Projects
4000
Over 3,800 new OSS
3000
projects in 2010,
2000 doubling each of the last
3 years
1000
0
2005 2006 2007 2008 2009 2010 94% of new projects
that specify a platform
New 2010 FOSS Projects by are targeting Android
Platform and Apple/iOS
Windows
Apple iOS
2%
Open source has
redefined the mobile
39% Blackberry
2%
Palm/Web OS
1%
industry and is spreading
Android
Symbian
1% far beyond
55% Meego/Maemo
0%
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
4. Android is a Huge Market Opportunity
50
45
Gartner: Android to become
40 #2 Worldwide Mobile
35 Symbian Operating System in 2010,
30 Android #1 Position by 2014
25 RIM
20 Apple iOS
15 Windows
10 Other Android is powering more
5 than smartphones….
0
2009
1 2010
2 2011
3 2014
4
Forecast: Mobile Communications Device Open OS Sales to End Users by OS (Market Share)
OS 2009 2010 2011 2014
Symbian 46.9 40.1 34.2 30.2
Android 3.9 17.7 22.2 29.6
RIM 19.9 17.5 15 11.7
Apple iOS 14.4 15.4 17.1 14.9
Windows 8.7 4.7 5.2 3.9
Other 6.1 4.7 6.3 9.6
Total 100 100 100 100
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Source: Gartner (August 2010)
5. Android Devices: Phones, Tablets, eReaders,
Autos, more…..
Barnes & Noble Nook Lenovo LePad
Automobile: Android powered SaaB
Droid by Motorola Samsung Galaxy Dell Streak
HP Touchpad
HTC Evo Shift
Motorola Xoom
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 5
6. Android Compliance is a Growing Concern
“The vast majority of Android tablets
I've been able to find are shipping
without any source being made
available, and that includes devices
from well-known vendors. “ Matthew
Garrett, Red Hat, Linux Kernel
Developer
Source: //www.codon.org.uk/~mjg59/android_tablets/
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
7. Agenda
OSS in Mobile Trends
Application Developers
– Basics of OSS licenses
– License considerations
– Resources
Device Manufacturers
– Issues/Complexity/Supply chain
– What’ Inside Gingerbread
– Best Practices
Summary
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 7
8. Types of Open Source Licenses:
Reciprocal vs. Permissive
Reciprocal (aka Copyleft).
– Requires licensee to make improvements or Most Popular Mobile OSS Licenses
enhancements available under similar terms. 1 GPL
– Example is the GPL: Licensee must distribute 2 LGPL
“work based on the program” and cause such 3 MIT
works to be licensed at no charge under the 4 Apache
terms of the GPL. 5 BSD
6 Microsoft
7 Artistic
8 Eclipse
9 Common Public lIcense
Permissive. 10 Mozilla
– Modifications/enhancements may remain
proprietary.
– Distribution in source code or object code
permitted provided copyright notice & liability
disclaimer are included and contributors’
names are not used to endorse products.
– Examples: BSD, Apache Software License.
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
9. The OSS License Continuum
MIT
GPL LGPL MPL Apache
BSD
Stronger Weaker Permissive
Copyleft Copyleft licenses
Restrictive Permissive
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
10. Potential License Conflicts
Proprietary licenses.
– Pay a fee
– Most don’t provide source
Many OSS licenses allow restrictions on
end users (Apache 2), but GPL does not
Some OSS licenses contain patent
termination clauses
GPLv3 resolved incompatibilities with
Apache.
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
11. App Stores and FOSS Licenses
GPL licensed app’s can not be distributed through the
Apple iTunes Store (or any store that imposes
restrictions)
– Apple ToS (terms of service) require that all software be licensed
for use on a single device only
– “Copylefted software can’t be un-freely relicensed, so it can’t be
transacted for under Apple’s current ToS” Eben Moglen, SFLC
– Just like GPLv2, GPLv3 prohibits distributors from placing additional
restrictions on the software through legal documents or similar
means” Brett Smith, Free Software Foundation
Android stores
– “So far as we know…the Google Android market… do not place any
limitation on how a market participant’s application is licensed that
would inhibit distributing Android applications in the market under
copyleft licensing.” Eben Moglen, SFLC
Permissive licenses (e.g., Apache, MIT, BSD) appear to
be compatible with app store ToS
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
12. Resources
Webinar-based education:
– //www.blackducksoftware.com/webinars/legal/
– Introduction to Open Source Licenses
– Understanding the Top 10 Open Source Licenses
– Unraveling the Complexities of the GPL
Black Duck Android white paper & webinar
– //www.blackducksoftware.com/android
– //www.blackducksoftware.com/webinars/legal/android.html
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
13. Agenda
OSS in Mobile Trends
Application Developers
– Basics of OSS licenses
– License considerations
– Resources
Device Manufacturers
– Issues/Complexity/Supply chain
– What’ Inside Gingerbread
– Best Practices
Summary
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 13
14. Issues for Device Manufacturers
How to control and manage building software on a
rapidly changing open-source operating system
with development forks, governed by multiple
licenses against an aggressive release cycle?
Typical concerns about Android:
Uses the GPLv2 licensed Linux kernel
Grown to a collection of ~165 different sub-components
Written under ~19 different open source licenses
Includes licenses that are reciprocal, and not all OSI-approved
Rapid change – averages a major release every 3 ¼ months
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
15. Android & Vendor Innovation
Developers
Typical areas of vendor/developer innovation
Source: Google - //source.android.com/
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
16. What’s Inside Android?
Android 2.3 (“Gingerbread”)
165 Projects
– 83 are “External”
– Does not include Kernel Mirror
Total Size
– Over 80,000 Files
– Over 2GB total size
– Does not include Kernel Mirror
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
17. A Look Inside Two Android Components:
Bionic & Webkit
License types in: Bionic License types in: Webkit
BSD 2.0* BSD 2.0
CMU License David M. Gay License
Cryptix License GPL 2.0
Free clause ICU License
FreeBSD LGPL 2.1*
Historical free MIT License V2
INRIA OSL MIT v2 with Ad Clause License
Intel OSL Mozilla Public License 1.1
Internet Software Consortium PCRE License
MIT Public Domain
Public Domain SWIG License
Python InfoSeek The wxWindows Library License
zlib/libpng License
X.Net License
*Declared license
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 17
18. Android 2.3: The Ingredients for “Gingerbread”
Licenses
– Declared license: Apache 2.0
– Components reference 19 different licenses
– External components
Linux, Webkit use reciprocal licenses (GPLv2,
LGPL)
– Other components: more than 30 of them use
reciprocal licenses (GPL, LGPL, CPL, etc.)
e.g. dbus, grub, emma, e2fsprogs, bluez,
Bison
– Non-OSI approved licenses are used, including
OpenSSL and Bzip2
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
19. Managing FOSS in the Mobile Ecosystem and
Software Supply Chain
Out Source/ Your OS/Software Stack/Device
Offshore Company
Typical Smartphone has over 300 components
Corporate-Owned IP XML
Proprietary/Licensed IP Security
FOSS Networking
Outsourced development Email
Multi-level supply chains Graphics
Database
Web Services
Many more…
19 Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
20. Meeting Open Source License Obligations
There is no "mobile device" or small appliance exception
which alters obligations under open source licenses
When there is an obligation to provide source code, the
obligation is met only by providing the source code for the
specific device that is owned by the person requesting the
code
The benefits of an open platform place the burdens of
compliance on every vendor that ships the platform
There is no “downstream defense for upstream” violations
Managing complexity requires the establishment of
consistent processes
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
21. Legal and IP Issues Depend on Your Position
in the Ecosystem
Middleware, component developer
– Integration of your code with FOSS has implications for
I your IP
n – How downstream customers use your code may impact
t your IP
e
Device manufacturer
g
r – Responsible for the entire bundle of components from
suppliers
a
t – Device driver code– open source it or not?
i Application developer
o
n – Integration of your code with FOSS has implications for
your IP
– Also impacts distribution options
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
22. Software Package Data Exchange™ (SPDX™)
Working group of FOSSBazaar
(governance best practices group
under Linux Foundation)
Charter:
Create data exchange standards to enable
license and component information sharing
(metadata)
Participation from over 16
organizations including software,
systems and tool vendors, consultants
and foundations
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
23. Best Practices for Managing Android
Policy Process Technology
Adopt and enforce an open source and third-party
code policy
Identify and track all external code that is used
Automate validation at the point of acquisition and
development
Automate monitoring and tracking of Android
components
Control the use of components and promote
standardization
Use automation tools to produce complete Bills of
Material and reports for supply chain partners
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
24. Summary
Android is highly successful and is
changing the mobile and device
landscape
Like many FOSS projects, there is
complexity inside
The legal and IP issues depend on
your role in the mobile supply
chain/ecosystem
Effective management and control
requires training, tools, and processes
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
25. Information Resources
Mark Radcliffe’s blog on the Bionic library:
“Android and the Kernel: It’s not that simple”
– //lawandlifesiliconvalley.com/blog/?p=593
Black Duck Android white paper & webinar
– //www.blackducksoftware.com/android
– //www.blackducksoftware.com/webinars/legal/android.html
Email: pvescuso@blackducksoftware.com
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.