Open source software for IoT – The devil’s in the details

Open source software for IoT –
The devil’s in the details
Rod Cope, CTO
Rogue Wave Software

Disclaimer
This presentation shall not be taken as legal
advice and is only for educational purposes.

Title: Open source software for IoT –
The devil’s in the details.
Open source software (OSS) is growing in software development today, especially in
the IoT space, driving technical innovation, enabling productivity gains, and touching
everything from big data and cloud to mobile and embedded. The use of OSS is
favorable, because it decreases the time to market and reduces cost. Despite its
importance and reach, there’s little understanding within the development
community regarding OSS license obligations and what is requested for compliance.
Gartner predicts that by 2016, 99 percent of Global 2000 enterprises will use open
source in mission-critical software. While it’s free, easy to find, and pushes software to
the market faster, it’s vital to understand how to use OSS safely. This seminar will
provide best practices to enable developers to effectively address the challenges and
opportunities related to open source software, creating the greatest benefit from the
proper and safe use of OSS in their next generation IoT devices.

Agenda
• OSS compliance: Should I care?
• Copyright Law overview
• Introduction to ‘Copyleft’
• OSS licenses and terms
• Avoiding liability
• OSS strategy – Where to start
• Case law
– Jacobsen v. Katzer
– Oracle v. Google
– Welte v. Fantec GmbH
– XimpleWare v. Versata et al

OSS compliance: Should I care?
• Diversion of time,
talent, resources
• Impact to customers
& reputation
• Potential waiver of IP
rights
• Potential damages

Copyright: What is it?
• Protection of artistic expressions,
not ideas or functionality
• Music
• Movies
• Artwork
• Literature
• Software

Rights of a copyright owner
• Exclusive rights
– Distribute – Sell
– Reproduce – Copy
– Adapt – Create derivative work
– Perform
– Display
– Transmit
• Neither registration nor notice required to create protection

Copyright introduction
License
$$$
Copyright
Owner User
• Owner chooses to enter into a contract with User
• Owner grants rights to Sell, Copy, Adapt, . . .
• User provides some consideration ($$$)
• User agrees to abide by the license terms
• Other people not allowed to Sell, Copy, Adapt, . . .

Introduction to ‘Copyleft’
License
$$$
Copyright Copyleft
License
$0.0

Concept of Copyleft
• “To understand the concept, you should think of ‘free’ as in
‘free speech,’ not as in ‘free beer’.” – RMS (Author of GPL)
• To keep open source software “free,” terms and conditions
apply requiring steps to preserve that “freedom” for
downstream users.

Copyleft – The cost of freedom
• Copyleft: a copyright licensing scheme for making a program
(or other work) free, and requiring all modified and extended
versions of the program to be free as well
http://www.gnu.org/copyleft/copyleft.en.html

Open source software
• > 2,000 Licenses
• >7,500 repositories
• > 4 billion files
• ~$60B/year savings*
https://www.blackducksoftware.com/ * http://www.freesoftwaremagazine.com/articles/creating_wealth_free_software

Common open source licenses
https://www.blackducksoftware.com/resources/data/top-20-open-source-licenses
What’s the
difference?
> 75% of software uses 5
licenses

MIT License
The MIT License (MIT)
Copyright (c) [year] [fullname]
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files
(the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
http://opensource.org/licenses/MIT

GPLv3 license select sections
1. "The ‘Corresponding Source’ for a work in object code form means all the source code
needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to
control those activities. . . . ”
6. Conveying Non-Source Forms: You may convey a covered work in object code form under the terms of sections 4 and 5,
provided that you also convey the machine-readable Corresponding Source
under the terms of this License
10. Automatic Licensing of Downstream Recipients: "...and you may not initiate litigation (including a cross-
claim or counterclaim in a lawsuit) alleging that any patent claim is infringedby making, using,
selling, offering for sale, or importing the Program or any portion of it."
11. Patents: . . . Each contributor grants you a non-exclusive, worldwide, royalty-
free patent license. . .
http://www.gnu.org/licenses/gpl.txt

A history of license options
19911988 2001 2004 2007 2012
BSD & MIT
Licenses
GPLv2 Apache 2.0 GPLv3 MPL 2.0CPL
· Implied License
&/or Estoppel
· Implied License
&/or Estoppel
· Patent Disincentive
Clause
· Express Patent
License
· Broad Patent
Retaliation
Clause
· Express Patent
License
· Patent Retaliation
Clause
· Broad Express Patent
License
· Anti-Tivoization clause
· Patent Non-Assert
· Patent Disincentive
Clause
· Express Patent
License
· Patent Retaliation
Clause

Thoughts on derivative works?
Proprietary
Software
MIT
License
Static OR Dynamic Linking
• Provide Copyright Notice
• Provide License
Proprietary
Software
LGPL
v2.1
Dynamic Linking
LibraryExecutable
Proprietary
Software
LGPL
v2.1
Static Linking
Executable
Proprietary
Software
GPL v3
Static OR Dynamic Linking
• Provide License
• Provide Open Source code
• Provide modifications &
change log
• Provide Disclaimer of
warranty in the OSS
• Provide Library Source
Code
• Provide License
change log
warranty in the OSS
• Provide proprietary Object
Code and/or Source Code
so that a modified Library
can generate an executable
• Provide License
change log
warranty for all GPL code
• Provide proprietary
Object Code and/or
Source Code
• Provide License to all IP in
the proprietary code that
uses or is linked to GPL
Related to
linking or
something
else?

GPL/GPL license compatibility
http://www.gnu.org/licenses/gpl-faq.html#v2v3Compatibility

Step 1: Have a license policy
• You must decide which licenses are acceptable for your
company (and potentially your customers).
• The policy depends on how you plan to use the software.
• GENIVI has the following policy
– Red – GPLv3; LGPLv2/3; BSD 4; MPL1.1; Flora
– Yellow – GPLv2; LGPL2.1; AFL 3; OSL 3; OpenSSL; Public domain
– Green – MPL 2.0; BSD 2/3; MIT/X11; Apache 1.1/2; Artistic 2/1
http://docs.projects.genivi.org/License/Public_Policy_for_GENIVI_Licensing_and_Copyright_v_1.0.pdf
NO
OK
???

Step 2: Educate your developers
• Which software/licenses are acceptable and not
• Which software licenses need to be discussed
• How and who to contact with questions – Point Person
• Disclosure of software use to Point Person

Step 3: Compliance
Apple -
iPhone
Mercedes-Benz

Example supply chain
Manufacturer
Development
Board – Low Level Drivers
Sub-Assembly – Libraries
Product Manufacturer
OSS contribution Retailer

Infringement – consequences
• § 504 – Damages (Actual or Statutory)
– Actual damages to Owner and profits of the Infringer
– Statutory (Timely Registered required) $750 - $30,000 per
infringement, If Willful up to $150,000!
• § 505 – Costs and Attorney Fees
– Usually linked with Willfullness (Pre-Registration required)
• § 502 – Injunction, § 503 – Impounding, and § 506 – Criminal
Prosecution

GPL v3.0
what do we
do now ?
Results of an audit scan tool

27
Dependency issues impact licensing
• OSS often depends on or bundles other OSS
• Need to look at all the dependencies and bundled
projects and their licenses
– Important: The licenses may not be the same!
• Example:
– Geronimo (Apache license) uses MySQL (GPL) through the
MySQL driver (formerly LGPL but now GPL)

28
Multiple packages, multiple licenses
• When a developer downloads and installs those projects they also get additional open source
components that are installed automatically (over 90 additional!!)
AspectJ (19)
- Ant (1.6.3)
- Apache Avalon (4.1.2)
- ASM (2.0)
- ASM (2.2.1)
- Batik (unknown)
- BCEL (5.1)
- Commons BeanUtils (unknown)
- Commons Digester (unknown)
- Commons Logging (unknown)
- DocBook XML (4.1.2)
- DocBook XSL Stylesheets (1.44)
- FOP (0.20.5)
- JDiff (unknown)
- JUnit (3.8.1)
- Jython (2.1)
- Regexp (1.2)
- Saxon (unknown)
- Xalan (2.4.1)
- JDK (1.4.2_12)
Spring Framework (61)
- ActiveMQ (1.1)
- Ant (1.6.5)
- ANTLR (2.7.5H3)
- AOP Alliance (1.0)
- Apache (OJB) (1.0.4)
- Apache xml-apis (1.2.01)
- c3p0 (0.9.0.4)
- cglib (2.1.3)
- com.oreilly.servlet (1.0)
- Commons Attributes (2.1)
- Commons BeanUtils (1.6)
- Commons Codec (1.3)
- Commons Collections (3.1)
- Commons DBCP (1.2.1)
- Commons Digester (1.6)
- Commons Discovery (0.2)
- Commons Fileupload (1.0)
- Commons HttpClient (3.0)
- Commons Lang (2.1)
- Commons Logging (1.0.4)
- Commons Pool (1.2)
Ant (7 bundled)
- Apache xml-apis (1.5)
- Xerces (2.6.2)
- BCEL (5.1)
- BeanShell (1.3.0)
- BSF (2.3.0)
- JUnit (3.8.1)
- JDK (1.4.2_12)
MySQL Connector
(9)
- Ant-Contrib (1.0-b2)
- AspectJ (1.2)
- c3p0 (0.9.1-pre6)
- Commons Logging (1.0.4)
- JBoss Application Server (3.2.7)
- JDBC (2_0)
- JTA (1.0.1)
- JUnit (3.8.1)
- Log4j (1.2.9)
- Commons Validator (1.1.4)
- dom4j (1.6)
- EasyMock (1.1)
- Ehcache (1.1)
- Enterprise Java Beans (2.0)
- Free Marker (2.3.4)
- Hessian (3.0.1)
- Hibernate (2.1.7)
- Hibernate (3.0.5)
- HSQLDB (1.8.0)
- iBATIS (2.1.7)
- iText (1.3)
- J2EE Connector Arch (1.0)
- Jakarta JSTL (1.0.3)
- Jamon (1.0)
- Jasper Reports (1.0.3)
- Java Servlet API (2.4)
- JavaBeans (JAF) (1.0.1)
- JavaMail (1.3)
- JavaServer Faces (1.1)
- JAX-RPC (1.1)
- Jaxen (1.1-beta4)
- JDBC (2_0)
- JDO (2.0)
- JMX (1.0)
- JOTM (2.0.9)
- JTA (1.0.1B)
- JUnit (3.8.1)
- jxl (2.6)
- Log4j (1.2.13)
- ORO (2.0.8)
- POI (2.5.1)
- Quartz (1.5.2)
- Rowset (1.0.1)
- Struts (1.2.8)
- Tag Libs (1.0.6)
- TOPLink (1.0)
- Velocity (1.4)
- Velocity Tools (1.1)
- XDoclet (1.1)

Bundling OSS into other code
Project Foo:
GPL v2
Project Time:
BSD
Project Commercial:
Restrictive EULA
Project Foo:
GPL v2
Project
Time:
BSD
What if I take a file that is under one license and I distribute
it under a different license–do I have to comply with the
original license?

Use of
OSS under GPL
Revisions made to FOSS
Linked to or bundled with
proprietary code Use by wholly
owned sub
Sub is sold to a
3rd party
Internal Use
Use by an
outsourcer or
contractor
Software shared
with “partner”
during further
development
Software
distributed to
end users
Using OSS Distributing OSS
Changes in how FOSS is used can impact license compliance
Example: How OSS is used may change...

Jacobsen v. Katzer: Opens the door
• Model train software under Artistic License
• Distribution without notice (non-compliance)
• Question: contract or copyright
• Contract – State Court and no consideration (OSS is free)
• Copyright – Federal Court,
– OSS license obligations are conditions precedent to the license.
– Failure to comply with obligations extinguishes license.
• Case settled

Google v. Oracle: Make or Buy?
Which Development
Platform should I choose ?

Which way should I choose ?

Google v. Oracle: 9 lines is enough
“the jury reasonably found
that Google’s copying of the
rangeCheck files was more
than de minimis;” - CAFC

APIs/taxonomy are copyrightable
• “the declaring code and the structure,
sequence, and organization of the API
packages are entitled to copyright
protection” – CAFC (Google v. Oracle)

Welte v. Fantec – Germany
• GPLv2.0 software used in a media player
• Fantec : Fantec’s supplier assured them compliance with GPL terms.
• Result: Welte was awarded Attorney’s fees and damages.
• German Court stated:
– “Here, Defendant was not allowed to rely merely on its suppliers’ assurances
that the works supplied did not infringe any third-party rights.
– In any case, Defendant should have performed its own review of the software,
or have someone preform, by hiring knowledgable third parties, such a review of the
software offered and provided by Defendant – even if this would have resulted in
additional costs.”

Versata, Ameriprise, Ximpleware
• “the GPL is a ‘viral’ license in the sense the incorporation of a GPL-covered
software program into a new program ‘infects’ the new program and
requires it to become open source , too” – District Court W.D. Texas
• Take away: Compliance is important even for customers (Ameriprise)

Roadmap to compliance
• 1st appreciate open source software’s benefits
• 2nd develop an open source software strategy
• 3rd know your code: education, Point Person
• 4th know the licenses associated with your code
• 5th comply or use different software

Open source software for IoT – The devil’s in the details

More Related Content

What's hot (20)

Similar to Open source software for IoT – The devil’s in the details (20)

More from Rogue Wave Software (20)

Recently uploaded (20)

Open source software for IoT – The devil’s in the details