Introduction to License Compliance and My research (D. German)

Open Source License
Compliance
Daniel M German
http://github.com/dmgerman/papers/ 
University of Victoria

My research goals
• To understand how OSS is developed

My research goals
• To help OSS development

My research goals
• To help OSS development
• To document best practices for the adoption and
use of OSS

Software Engineering Research
Source Code

Source Code
People

Source Code
Organizations
People

Source Code
Organizations
Software Ecosystems
People

Open Source Software
My research

Mining Software 
Repositories
My research

Mining Software 
Repositories
Intellectual Property
(copyright)
My research

Mining Software 
Repositories
(copyright)
My research
Empirical Studies

Mining Software 
Repositories
(copyright)
My research
Empirical Studies Tools

OSS
• OSS is software that is under an Open Source License

OSS
• OSS is software that is under an Open Source License
• The big shift: industry wants to use it
• Car makers/Software developers/TVs/Phone/Internet-of-
things…

OSS compliance
“Is the way I reuse OSS compliant with its license?”

Industry and OSS
•Industry wants to reuse OSS

•But wants to minimize its potential liability

License Compliance
1. Architectural Analysis

License Compliance
2. Provenance Discovery

License Compliance
3. License Identiﬁcation
2. Provenance Discovery

Architectural Analysis
• What are the components of a system?

• How are they connected?

• What ﬁles are part of what components?

• What components are actually used?

Examples
• Apple’s OS X:
• Contains many open source components

Examples
• Apple’s OS X:
• Under a variety of licenses (although GPL-licensed components are
being replaced with BSD-licensed ones)

Examples
• Apple’s OS X:
• FreeBSD

Examples
• Apple’s OS X:
• FreeBSD
• Licensed under the BSD-2 license, but contains GPL’d software

Examples
• Apple’s OS X:
• FreeBSD
• Licensed under the BSD-2 license, but contains GPL’d software
• Disabled by default

International Conference in Software Engineering, 2009

Methods of interconnection:
Linking
Forking
Subclassing
Remote call
Plugin

Methods of interconnection:
Linking
Forking
Subclassing
Remote call
Plugin
Developers ﬁnd innovative ways to deal with copyright licensing restrictions

Automated Software Engineering, 2014

Even “internal” license compliance of the system being developed is hard

Provenance Discovery
• Provenance:

• Evidence of origin, history and integrity

• External:

• Where does this module/file/snippet come from?

• Internal:
• How has this file being modified by the project?

Journal of Empirical Software Engineering, 2013

For effective provenance you need a very large corpus

Tools without corpus are useless

Tools without corpus are useless
Industry does not want methods or tools; it wants consulting

License Identiﬁcation
• What is the license of this module/ﬁle/snippet?

Ninka

Ninka
Integrated into Fossology v3.0

Empirical Studies
• What are the challenges of OSS creation and reuse?

• Methods:

• Mining software repositories

• Surveys

• What are the diﬀerent licenses used in GitHub?
• What are the common license change patterns?
• Why do they change?

• What are the diﬀerent licenses used in GitHub?
• What are the common license change patterns?
• Why do they change?
Most frequently: changes to licensing are documented but not explained

Int. Conf. Software Engineering, 2018

Int. Conf. Software Engineering, 2018
Licensing bugs are hard to ﬁx

https://www.heise.de/newsticker/meldung/Linux-in-Elektronikgeraeten-Streit-ueber-Lizenzbedingungen-geht-in-naechste-Instanz-3986181.html

Patrick McHardy
• Former chair of the Netﬁlter Core Development Team

• Part of Linux; widely used

Patrick McHardy

• Has been seeking non-compliant reusers of the Linux Kernel

• Allegedly for ﬁnancial gain (it is estimated he has made more than
€2M)

Patrick McHardy

• Has been seeking non-compliant reusers of the Linux Kernel

• Allegedly for ﬁnancial gain (it is estimated he has made more than
€2M)
• In 2016 he was suspended from the Netﬁlter Core Development Team

– Greg Kroah-Hartman et. al
“While the kernel community has always supported enforcement efforts to
bring companies into compliance, we have never even considered enforcement
for the purpose of extracting monetary gain.”
http://kroah.com/log/blog/2017/10/16/linux-kernel-community-enforcement-statement/

Geniatec vs McHardy 
in the words of H. Welte (Netfilter)
• “The court recognized that there is no co-authorship / joint authorship (German:
Miturheber) in the Linux kernel as a whole, as it was not a group of people
planning+developing a given program together, but it is a program that has been
released by Linus Torvalds and has since been edited by more than 15.000
developers without any "grand joint plan" but rather in successive iterations. This
situation constitutes "editing authorship" (German: Bearbeiterurheber)”

• "The court further recognized that being listed as "head of the netfilter core team"
or a "subsystem maintainer" doesn't necessarily mean that one is contributing
copyrightable works. Reviewing thousands of patches doesn't mean you own
copyright on them, drawing an analogy to an editorial office at a publisher.”

• “The court understood there are plenty of Linux versions that may not even
contain any of Patrick McHardy's code (such as older versions)”
http://laforge.gnumonks.org/blog/20180307-mchardy-gpl/

But…
• “The Linux kernel development model does not support the claim of Patrick
McHardy having co-authored Linux. In so far, he is only an editing
author (Bearbeiterurheber), and not a co-author. Nevertheless, even
an editing author has the right to ask for cease and desist, but only on
those portions that he authored/edited, and not on the entire Linux kernel.”

• “The plaintiff did not sufficiently show what exactly his contributions were
and how they were forming themselves copyrightable works”

• “The plaintiff being a member of the netfilter core team or even the head of
the core team still doesn't support the claim of being a co-author, as
netfilter substantially existed since 1999, three years before Patrick's first
contribution to netfilter, and five years before joining the core team in 2004.”

Important questions:
• What has McHardy contributed to Linux?

• What copyrightable material has he contributed to Linux?

• What is currently in Linux?

Context
• 26.5 years of development

• 806k changes

• By 17k diﬀerent persons

• 63k ﬁles

Version control and Linux
1991-2002 NONE
2002-2005 Bitkeeper
2005 - today git

Linux Foundation Request
• Can we know where every “character” of the source code of
the Linux kernel comes from?

Linux Foundation (sidebar)
• The Linux Foundation (LF) is not Linux

• LF is a “business league” (non for proﬁt, industrial members)

• Its goal: “Building sustainable ecosystems around open source
projects to accelerate technology development and commercial
adoption.”

• It pays the salaries of Linus Torvalds and Greg Kroah-Hartman

Linux Foundation efforts
• SPDX: Software Package Data Exchange (SPDX)
• Document open source licenses

• OpenChain
• Documents good-practice processes to improve license compliance

• CHAOSS: Community Health Analytics of Open Source Software

• Create metrics to measure the “health” of an open source project

Introduction to License Compliance and My research (D. German)

However…
• cregit only tells us what change introduced what

• Open questions:

• What changes are copyrightable?

• Where does the code in a change come from?

• Is the person doing the change the copyright holder?

At a more holistic level
• Who are the copyrights holders of:

• A system/module/ﬁle/function/API

• Is there “residual” IP when code is replaced
with new code?

• On purpose or by evolution

http://turingmachine.org
http://github.com/dmgerman/papers

Introduction to License Compliance and My research (D. German)

Introduction to License Compliance and My research (D. German)

Recommandé

Contenu connexe

Tendances

Tendances(20)

Similaire à Introduction to License Compliance and My research (D. German)

Similaire à Introduction to License Compliance and My research (D. German)(20)

Plus de dmgerman

Plus de dmgerman(9)

Dernier

Dernier(12)

Introduction to License Compliance and My research (D. German)