Apollon - 22/5/12 - 09:00 - User-driven Open Innovation Ecosystems
Ipr08 2 Beware Of Your Creations Bruno Lowagie
1. Beware of
your creations
iText,
a Free / Open Source PDF library
Case Study: IPR project
by Bruno Lowagie
2. What is iText?
iText is a Free / Open Source Software library that allows
Java and .Net developers to enhance their applications with
PDF generation and manipulation functionalities. iText is used
by Google, Adobe, JasperSoft, IBM, NASA, the DoD, KLM,
NMBS, FedEx, UPS, many different governments, banks,
insurance companies, and so on.
If you want to find our more about iText
visit http://www.lowagie.com/iText/
Or read the book “iText in Action”
2/20
3. Context of the IPR project
IBM and SUN are competitors
IBM created the Eclipse Foundation to compete with
SUN on the Java front
Eclipse is an Integrated Development Environment (IDE)
Eclipse is a Java oriented Open Source Community
Eclipse offers a suite of Open Source products
Different Eclipse projects are lead by different companies;
Each project/product has its own release cycle
3/20
4. Context of the IPR project
The Callisto Simultaneous Release (july 2006) was the
first time a suite of selected products was released
simultaneously
This release was fully tested by IBM and hosted on
servers from the Eclipse Foundation.
Eclipse/BIRT was part of this simultaneous release
Eclipse/BIRT is a Business Intelligence & Reporting Tools
project lead by Actuate
Eclipse/BIRT uses iText for PDF Generation
4/20
5. Context of the IPR project
IBM only wanted to host iText on their servers if:
The iText license (MPL/LGPL) was changed to EPL
The iText code was vetted and accepted by IBM’s legal
department: the IP of the iText source code had to be
100% OK.
None of these conditions were met; as a result iText was not
a part of the Callisto Simultaneous Release; users had to
download it separately.
The Eclipse Foundation tried to put pressure on Bruno to
release iText under the EPL.
5/20
6. Context of the IPR project
Bruno’s response:
Changing to EPL is a No-Go for the iText community.
If IBM doesn’t want to use iText: it’s not our problem; it’s
IBM’s problem! But Actuate wanted to use iText…
Solution: a Research Agreement was signed between
Actuate and Ghent University (Bruno’s employer) to create
a detailed IP Report for iText and to solve all possible IP
issues reported by IBM Canada.
The goal was the integration of iText in the Eclipse Europe
release (july 2007). By the way: we made the release!
6/20
7. The Problem with F/OSS Software
A F/OSS library is a joined effort of many different people.
A F/OSS library such as iText grows organically.
Looking at the source code of many projects, you have:
a White zone: code of which the IP is 100% clear; you
know because you have written the code yourself.
a Gray zone: code that was contributed by others. Where
did they get this code? Did they write the code? Were they
allowed to contribute that code?
a Black zone: code that was integrated in the library, but
for which there was no license or authorization.
7/20
8. The White Zone
You have written the code yourself, but…
What about your employer? Does your employer own (part
of) the code? Do you have a formal agreement with your
employer with respect to F/OSS?
Where did you get your inspiration? IBM developers are
forbidden to look at any code that is not formally approved
by IBM’s legal team. Good practice or burden?
Note: you don’t always need to own the IPR to do business
with F/OSS! For instance: in the past, iText licenses were
sold by PDF Sages (now acquired by Adobe Systems)
8/20
9. The Gray Zone
The code was contributed, but…
Did the contributor agree with the license?
Did the contributor’s employer agree?
Where did the contributor get his inspiration?
The Apache Foundation demands contributors and their
employers to sign a Contributor License Agreement (CLA)
SUN demands contributors to sign a Sun Contributor
Agreement (SCA) from the moment the contributions
contain more than 20 lines of code
9/20
10. The Gray Zone
The code was taken from another project, but…
Are the licenses compatible?
Do you respect the other project’s license?
Where did the other project get its code from?
Always keep an online inventory of:
All Contributors (if possible: let them sign a CLA)
All F/OSS Projects used (subset / derivative work)
10/20
11. The Black Zone
Unfortunately it may happen that you were not allowed to
use some specific code that is part of your project.
Solution:
either you ask (and get!) permission,
or you remove the code.
11/20
12. Examples
Turning Gray and Black into White
A selection of issues that were solved in the context of the
Research Agreement between Actuate and Ghent
University. These issues were reported by IBM’s Legal
Department in Canada.
These issues were solved by Bruno Lowagie, and they give
an idea of the work involved when maintaining a
successful F/OSS project.
Writing code is the easy part of the job ;-)
12/20
13. Example 1: JavaWorld article
State Machine to parse XML quickly:
http://www.javaworld.com/javaworld/javatips/jw-javatip128.html
Source code taken from/inspired by this article
Fine print: http://www.javaworld.com/javaworld/common/jw-copyright.html
Copyright - All contents of JavaWorld, including text, programs,
applets, source code, and images are copyrighted and owned by IDG
or the copyright holder specified, all rights reserved. No material may
be reproduced electronically or in print without written permission.
Solution: write JavaWorld and author, get permission!
There were many other places where licenses were
incomplete or missing!
13/20
14. Example 2: RC4
Class names and variable names referring to RC4
RC4 was initially a trade secret, but in September 1994 a description
of it was anonymously posted to the Cypherpunks mailing list.
It was soon posted on the sci.crypt newsgroup, and from there to
many sites on the Internet. Because the algorithm is known, it is no
longer a trade secret.
The name "RC4" is trademarked, however. The current status seems
to be that "unofficial" implementations are legal, but cannot use the
RC4 name.
RC4 is often referred to as "ARCFOUR" or "ARC4" (meaning Alleged
RC4, because RSA has never officially released the algorithm), to
avoid possible trademark problems.
Solution: change RC4 into ARCFOUR in all files
14/20
15. Example 3: IntHashtable
Class IntHashtable
Taken from ACME.com
// This is 90% based on JavaSoft's java.util.Hashtable.
// Visit the ACME Labs Java page for up-to-date versions of this and other
// fine Java utilities: http://www.acme.com/java/
JavaSoft is a name used by Sun in the past in their Java activities.
Sun indicates use of the class java.util.Hashtable which is subject to
unfriendly Sun license
It is unlikely that this code is available under a license that permits this
use. Without information indicating that Sun approved of this usage
the class should not be used.
Solution: use the same class released by Apache under
the APL in Apache-Commons instead of the ACME class.
15/20
16. Example 4: EPS
EPS Functionality
Taken from an example released by SUN under a Sample License.
The Sample License allowed the use of the code, but the source code
contained this text:
/*
* Copyright 1998 by Sun Microsystems, Inc.,
* 901 San Antonio Road, Palo Alto, California, 94303, U.S.A.
* All rights reserved.
*
* This software is the confidential and proprietary information
* of Sun Microsystems, Inc. ("Confidential Information"). You
* shall not disclose such Confidential Information and shall use
* it only in accordance with the terms of the license agreement
* you entered into with Sun.
*/
Solution: after a very long argument about this comment
section versus the Sample License, EPS functionality was
dropped.
16/20
17. Example 5: Fedora Linux and nuclear facilities
JAI code
Taken from JAI (by SUN) originally released under a very
liberal License.
However, the license text contains the following clause:
/*
* You acknowledge that Software is not designed, licensed or
* intended for use in the design, construction, operation or
* maintenance of any nuclear facility.
*/
As long as the word “license” isn’t removed, iText can’t be
distributed with Fedora Linux.
Solution: direct communication with the core developers to
solve the problem.
17/20
18. Finally
You can save a lot of work by doing things the right
way right from the start.
If it’s too much work, or if it gets in the way of doing
your work, you are not alone!
18/20
19. Finally
If you have built castles in the air,
Your work need not be lost;
That is where they should be.
Now put the foundations under them.
(Henry David Thoreau – Walden)
19/20