SlideShare una empresa de Scribd logo

Open Source Software Licence Compliance: Art or science?

Shane Coughlan
Shane Coughlan

These are the slides from the keynote entitled 'Open Source Software Licence Compliance: Art or science?' at the OpenChain Summit 2022, presented by Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP.

Derecho
1 de 21
Descargar para leer sin conexión
Open Source Software Licence Compliance: Art or science? Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP
The goal for OSS licence compliance… • Tooling which • Knows all the components you are using; • Knows exactly which licence is applicable to each component (including exceptions); • Can automatically generate a complete set of compliance artefacts; • Understands the terms you are trying to out-license on; • Understands the use case (distributable, app store, SaaS, containerized, embedded); • Generates build scripts and installation instructions where necessary; • Suggests remediation for potential problems; • Provides a repository which contains a set of pre-approved components; • Won’t allow/generates an error on build for non-compliance components.
The goal for OSS licence compliance… • Component sources which • Correctly identify the applicable licences • Correctly identify relevant dependencies • Correctly identify relevant dependencies for that particular build configuration • Have a reference implementation with correct compliance artefacts • We are confident do not have included code from elsewhere • Contain easily machine readable metadata covering the above
Challenges • The scale of the problem. An embedded system may contain over 100k components. • Legacy code does not use SPDX/REUSE etc. Much is being retrofitted, but sometimes it’s impossible. • Technology develops faster than compliance. Law develops slower than both • Containerization: where are all the components coming from? • Orchestration (e.g. Kubernetes) compounds this • What is “distribution”? • If you are not distributing to your client, but Docker is (for example), who must comply? • What about secondary liability? • An outsourced developer will frequently provide the compliance artefacts necessary to distribute the software to you….but insufficient information for you to distribute to your end users.
Real issues: examples from Linux Kernel File: arch/m68k/mac/config.c * Much of this was defined by Alan, based on who knows what docs. File: arch/arm/kernel/sys_arm.c * Copyright (C) People who wrote linux/arch/i386/kernel/sys_i386.c (The file sys_i386.c no longer exists in the source tree.) File: drivers/staging/rtl8192e/rtllib_softmac.c * WPA code stolen from the ipw2200 driver. * Copyright who own it's copyright. File: drivers/staging/rtl8192e/rtllib_softmac_wx.c * Some pieces of code might be stolen from ipw2100 driver * copyright of who own it's copyright ;-)
Real issues: examples from Linux Kernel File: arch/alpha/kernel/smc37c669.c * This software is furnished under a license and may be used and copied... (No licence is specified - hopefully it is compatible with the GPL) Some typically unclear attributions/copyright notices: File: arch/powerpc/platforms/chrp/pegasos_eth.c * And anyone else who helped me on this (Following a set of attributions) File: arch/um/drivers/daemon_kern.c * Copyright (C) 2001 by various other people who didn't put their name here.
Real examples: GPL Overreach SQLMap: GPL, but with an extended definition of “derivative work” which includes any software which * Executes sqlmap and parses the results (as opposed to typical shell or execution-menu apps, which simply display raw sqlmap output and so are not derivative works).
Code interaction – 3 axes of compliance To what extent must GPL code interact with other code to trigger the requirement for the other to be released under GPL? 1. How closely are the components combined? 2. How is the code delivered (distributed) to the user? 3. What sort of interface does the interaction use?
How closely are the components combined? a. running the two components on separate computers b. running the two components separate virtual machines c. running the two components in separate threads or processes d. running the two components sequentially in the same thread or process (e.g. as a plug in) e. running the two components dynamically linked f. running the two components statically linked g. combining the two components by inserting code from one into the other (e.g. copypaste)
How is the code delivered to the user? a. two components delivered separately at separate times, downloaded initiated by end-user b. two components delivered at the same time, with end-user explicitly accepting download of the copyleft component c. two components delivered simultaneously without the end-user’s explicit involvement, but are clearly separable within the package downloaded d. two components delivered simultaneously and pre-linked e. two components merged into one, inseparably.
How do the components communicate? a. two components communicate through command-line interface or some form of pre-existing inter process communication (e.g. SMTP, or pipes) b. two components communicate through an API which is publicly published and which pre-exists the copyleft component c. two components communicate through an API which is private but which can be demonstrated to pre-exist the copyleft component d. two components communicate through an API defined by the copyleft component e. two components are dynamically linked f. two components are statically linked g. two components are combined into a single executable, inseparably
So, do we need to apply GPL or not? 1. Establish how the interaction operates on all 3 axes. 2. The higher up the list the interaction is, in each case, the less is the likelihood of the problem. 3. Architect your application with this in mind. 4. This is not only a question of minimizing the possibility that you are infringing GPL (which is something only a judge can decide). It’s also about making it more difficult for a copyright holder to claim that you are.
General issues here: 1. The scope of secondary copyright liability (if I encourage, or provide instructions to, or automate a process which means that I am not distributing the code, but the end-user is, am I liable for secondary copyright liability?) 2. Is this true, even if what the end-user is doing is perfectly lawful in itself? 3. (Note: there are several, mainly US cases around Napster and Grokster etc. 4. Thought experiment: it was revealed some years ago that certain Intel CPUs contain a Management Engine running a variant of Minix. 1. If that software contained infringing components, could you, as the person owning and switching on the computer, be held liable? 2. Liability for copyright infringement is not dependent on knowledge or intent. Knowing about the IME, is that fair? 5. Conclusion: the main area where compliance is not being helped, is the law
Where to go from here? 1. Make it easier to find components with known licences, and better- defined dependencies - SPDX, REUSE, GitHub Licence Chooser 2. Clarify existing licence terms for older components - Please relicense to better known licences (and not to fauxpen licences) - Make the licensing information more consistent (e.g .Maven Central Repository) 3. Provide reference implementations, and example compliance materials - OpenChain, Oniro 4. But what about the law?
Blue Sky? How licensing works (in theory): • Developer A decides what rights they want to grant users, for all possible use cases. • Developer A works with legal advisers to either select a licence or draft a new one (!) • B decides they want to use A’s code, reads the licence (possibly with the help of the legal department). • B uses the code. • A thinks that B is infringing. An argument involving lawyers ensues. • A judge decides who’s right.
Blue Sky? How licensing works (in practice): • Developer A decides to write some software, and wants to open source it • A (hopefully) picks an existing licence which seems to do what they want, for most use cases. Possibly with the help of the legal dept. • B decides they want to use A’s code, and uses it in a way which is generally understood as acceptable (possibly with the help of the legal department). • B uses the code. • A thinks that B is infringing. An argument involving lawyers ensues. • A judge, who probably doesn’t know about FOSS decides who’s right.
Ultimately… A developer may have a pretty good idea of what permissions they want attached to their code, and what outcome they want for certain code combinations…. … but that clarity will be destroyed because the message is filtered through lawyers, the uncertain legal system (which differs between jurisdictions) and the ultimate arbiter is a judge, who may well know nothing about FOSS.
Is there a solution? • The law already acknowledges that the legal rights and obligations can be created without using natural language (e.g. derivatives). • Is it possible to remove the requirement that natural language is the only medium by which the rights and obligations of FOSS licences can be determined? • Can developers select a set of rights they want to apply to their code, and then an agreed algorithm determines how software interactions and compliance materials must be generated? • Can compliance (or at least a subset of it) become deterministic? • This won’t be perfect, but a developer may well settle with it being right 95% if the time.
Such an algorithm… • Must provide consistent and reproducible results. • Must have a mechanism for being updated as practice evolves. Challenges • How to deal with fair use/fair dealing? • As law becomes code (in the Lessig sense) how do we guard against bad actors manipulating governance or the algorithm. • How do we transition existing code into the algorithmic licence?
Conclusion • Compliance is getting more complex as the sheer number of components increases. • New technologies (containerization etc.) compound this • Compliance MUST be automated. There is great progress in this area. OpenChain, SPDX, REUSE frameworks, and technology from FOSSology, Scancode, SW360 and many more, including proprietary vendors, are making huge strides. • However, compliance is still, in part, an art, not a science. • The essence of open source is reducing friction. Can we reduce friction further by looking at the licensing process itself?
Open Source Software Licence Compliance: Art or science? Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP

Recomendados

10 things to know about the intersection of blockchain technology, open sourc...
10 things to know about the intersection of blockchain technology, open sourc...10 things to know about the intersection of blockchain technology, open sourc...
10 things to know about the intersection of blockchain technology, open sourc...Kyiv National Economic University
 
FITT Toolbox: Choosing the right License
FITT Toolbox: Choosing the right LicenseFITT Toolbox: Choosing the right License
FITT Toolbox: Choosing the right LicenseFITT
 
Open Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementOpen Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementSebastiano Cobianco
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project ManagementSemen Arslan
 
Open source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsOpen source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsRogue Wave Software
 
The Business Case for Open Source GIS
The Business Case for Open Source GISThe Business Case for Open Source GIS
The Business Case for Open Source GISJoanne Cook
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 

Recomendados

10 things to know about the intersection of blockchain technology, open sourc...
10 things to know about the intersection of blockchain technology, open sourc...10 things to know about the intersection of blockchain technology, open sourc...
10 things to know about the intersection of blockchain technology, open sourc...Kyiv National Economic University
 
FITT Toolbox: Choosing the right License
FITT Toolbox: Choosing the right LicenseFITT Toolbox: Choosing the right License
FITT Toolbox: Choosing the right LicenseFITT
 
Open Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementOpen Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementSebastiano Cobianco
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project ManagementSemen Arslan
 
Open source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsOpen source software for IoT – The devil’s in the details
Open source software for IoT – The devil’s in the detailsRogue Wave Software
 
The Business Case for Open Source GIS
The Business Case for Open Source GISThe Business Case for Open Source GIS
The Business Case for Open Source GISJoanne Cook
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Lesson 2
Lesson 2Lesson 2
Lesson 2Sandra Ahn
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web ApplicationMichael Choi
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher Jack Fletcher
 
WP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webWP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webPaul Plaquette
 
Internship msc cs
Internship msc csInternship msc cs
Internship msc csPooja Bhojwani
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnetrosu555
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Open Development
Open DevelopmentOpen Development
Open DevelopmentJody Garnett
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)dmgerman
 
Akash final-year-project report
Akash final-year-project reportAkash final-year-project report
Akash final-year-project reportAkash Rajguru
 
Legal and practical concerns with open source software
Legal and practical concerns with open source softwareLegal and practical concerns with open source software
Legal and practical concerns with open source softwareRogue Wave Software
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)Wail Hassan
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.combigclasses.com
 
Systems Administration
Systems AdministrationSystems Administration
Systems AdministrationMark John Lado, MIT
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 

Más contenido relacionado

Similar a Open Source Software Licence Compliance: Art or science?

Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web ApplicationMichael Choi
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher Jack Fletcher
 
WP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webWP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webPaul Plaquette
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxZain Abid
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnetrosu555
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)dmgerman
 
Akash final-year-project report
Akash final-year-project reportAkash final-year-project report
Akash final-year-project reportAkash Rajguru
 
Legal and practical concerns with open source software
Legal and practical concerns with open source softwareLegal and practical concerns with open source software
Legal and practical concerns with open source softwareRogue Wave Software
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)Wail Hassan
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.combigclasses.com
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 

Similar a Open Source Software Licence Compliance: Art or science? (20)

Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web Application
 
Summer project- Jack Fletcher
Summer project- Jack Fletcher Summer project- Jack Fletcher
Summer project- Jack Fletcher
 
WP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_webWP_Open-Source_Best_pratice_web
WP_Open-Source_Best_pratice_web
 
Internship msc cs
Internship msc csInternship msc cs
Internship msc cs
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnet
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Open Development
Open DevelopmentOpen Development
Open Development
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
 
Akash final-year-project report
Akash final-year-project reportAkash final-year-project report
Akash final-year-project report
 
Legal and practical concerns with open source software
Legal and practical concerns with open source softwareLegal and practical concerns with open source software
Legal and practical concerns with open source software
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)
 
Devops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.comDevops interview questions 1 www.bigclasses.com
Devops interview questions 1 www.bigclasses.com
 
Systems Administration
Systems AdministrationSystems Administration
Systems Administration
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 

Más de Shane Coughlan

OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19Shane Coughlan
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleShane Coughlan
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06Shane Coughlan
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06Shane Coughlan
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09Shane Coughlan
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17Shane Coughlan
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxShane Coughlan
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...Shane Coughlan
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Shane Coughlan
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesShane Coughlan
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27Shane Coughlan
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30Shane Coughlan
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeShane Coughlan
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxShane Coughlan
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11Shane Coughlan
 
OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29Shane Coughlan
 

Más de Shane Coughlan (20)

OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
 
OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29OpenChain Legal Work Group - 2023-06-29
OpenChain Legal Work Group - 2023-06-29
 

Último

Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxjennysansano2
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxJFSB1
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Rich Bergeron
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklosbeduinpower135
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasBrandy Austin
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in SalesMelvinPernez2
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21vasanthakumarsk17
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its historyprasannamurthy6
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxgurcharnsinghlecengl
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsRich Bergeron
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Rich Bergeron
 

Último (20)

Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docx
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptx
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklos
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in Texas
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its history
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
 

Open Source Software Licence Compliance: Art or science?

  • 1. Open Source Software Licence Compliance: Art or science? Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP
  • 2. The goal for OSS licence compliance… • Tooling which • Knows all the components you are using; • Knows exactly which licence is applicable to each component (including exceptions); • Can automatically generate a complete set of compliance artefacts; • Understands the terms you are trying to out-license on; • Understands the use case (distributable, app store, SaaS, containerized, embedded); • Generates build scripts and installation instructions where necessary; • Suggests remediation for potential problems; • Provides a repository which contains a set of pre-approved components; • Won’t allow/generates an error on build for non-compliance components.
  • 3. The goal for OSS licence compliance… • Component sources which • Correctly identify the applicable licences • Correctly identify relevant dependencies • Correctly identify relevant dependencies for that particular build configuration • Have a reference implementation with correct compliance artefacts • We are confident do not have included code from elsewhere • Contain easily machine readable metadata covering the above
  • 4. Challenges • The scale of the problem. An embedded system may contain over 100k components. • Legacy code does not use SPDX/REUSE etc. Much is being retrofitted, but sometimes it’s impossible. • Technology develops faster than compliance. Law develops slower than both • Containerization: where are all the components coming from? • Orchestration (e.g. Kubernetes) compounds this • What is “distribution”? • If you are not distributing to your client, but Docker is (for example), who must comply? • What about secondary liability? • An outsourced developer will frequently provide the compliance artefacts necessary to distribute the software to you….but insufficient information for you to distribute to your end users.
  • 5. Real issues: examples from Linux Kernel File: arch/m68k/mac/config.c * Much of this was defined by Alan, based on who knows what docs. File: arch/arm/kernel/sys_arm.c * Copyright (C) People who wrote linux/arch/i386/kernel/sys_i386.c (The file sys_i386.c no longer exists in the source tree.) File: drivers/staging/rtl8192e/rtllib_softmac.c * WPA code stolen from the ipw2200 driver. * Copyright who own it's copyright. File: drivers/staging/rtl8192e/rtllib_softmac_wx.c * Some pieces of code might be stolen from ipw2100 driver * copyright of who own it's copyright ;-)
  • 6. Real issues: examples from Linux Kernel File: arch/alpha/kernel/smc37c669.c * This software is furnished under a license and may be used and copied... (No licence is specified - hopefully it is compatible with the GPL) Some typically unclear attributions/copyright notices: File: arch/powerpc/platforms/chrp/pegasos_eth.c * And anyone else who helped me on this (Following a set of attributions) File: arch/um/drivers/daemon_kern.c * Copyright (C) 2001 by various other people who didn't put their name here.
  • 7. Real examples: GPL Overreach SQLMap: GPL, but with an extended definition of “derivative work” which includes any software which * Executes sqlmap and parses the results (as opposed to typical shell or execution-menu apps, which simply display raw sqlmap output and so are not derivative works).
  • 8. Code interaction – 3 axes of compliance To what extent must GPL code interact with other code to trigger the requirement for the other to be released under GPL? 1. How closely are the components combined? 2. How is the code delivered (distributed) to the user? 3. What sort of interface does the interaction use?
  • 9. How closely are the components combined? a. running the two components on separate computers b. running the two components separate virtual machines c. running the two components in separate threads or processes d. running the two components sequentially in the same thread or process (e.g. as a plug in) e. running the two components dynamically linked f. running the two components statically linked g. combining the two components by inserting code from one into the other (e.g. copypaste)
  • 10. How is the code delivered to the user? a. two components delivered separately at separate times, downloaded initiated by end-user b. two components delivered at the same time, with end-user explicitly accepting download of the copyleft component c. two components delivered simultaneously without the end-user’s explicit involvement, but are clearly separable within the package downloaded d. two components delivered simultaneously and pre-linked e. two components merged into one, inseparably.
  • 11. How do the components communicate? a. two components communicate through command-line interface or some form of pre-existing inter process communication (e.g. SMTP, or pipes) b. two components communicate through an API which is publicly published and which pre-exists the copyleft component c. two components communicate through an API which is private but which can be demonstrated to pre-exist the copyleft component d. two components communicate through an API defined by the copyleft component e. two components are dynamically linked f. two components are statically linked g. two components are combined into a single executable, inseparably
  • 12. So, do we need to apply GPL or not? 1. Establish how the interaction operates on all 3 axes. 2. The higher up the list the interaction is, in each case, the less is the likelihood of the problem. 3. Architect your application with this in mind. 4. This is not only a question of minimizing the possibility that you are infringing GPL (which is something only a judge can decide). It’s also about making it more difficult for a copyright holder to claim that you are.
  • 13. General issues here: 1. The scope of secondary copyright liability (if I encourage, or provide instructions to, or automate a process which means that I am not distributing the code, but the end-user is, am I liable for secondary copyright liability?) 2. Is this true, even if what the end-user is doing is perfectly lawful in itself? 3. (Note: there are several, mainly US cases around Napster and Grokster etc. 4. Thought experiment: it was revealed some years ago that certain Intel CPUs contain a Management Engine running a variant of Minix. 1. If that software contained infringing components, could you, as the person owning and switching on the computer, be held liable? 2. Liability for copyright infringement is not dependent on knowledge or intent. Knowing about the IME, is that fair? 5. Conclusion: the main area where compliance is not being helped, is the law
  • 14. Where to go from here? 1. Make it easier to find components with known licences, and better- defined dependencies - SPDX, REUSE, GitHub Licence Chooser 2. Clarify existing licence terms for older components - Please relicense to better known licences (and not to fauxpen licences) - Make the licensing information more consistent (e.g .Maven Central Repository) 3. Provide reference implementations, and example compliance materials - OpenChain, Oniro 4. But what about the law?
  • 15. Blue Sky? How licensing works (in theory): • Developer A decides what rights they want to grant users, for all possible use cases. • Developer A works with legal advisers to either select a licence or draft a new one (!) • B decides they want to use A’s code, reads the licence (possibly with the help of the legal department). • B uses the code. • A thinks that B is infringing. An argument involving lawyers ensues. • A judge decides who’s right.
  • 16. Blue Sky? How licensing works (in practice): • Developer A decides to write some software, and wants to open source it • A (hopefully) picks an existing licence which seems to do what they want, for most use cases. Possibly with the help of the legal dept. • B decides they want to use A’s code, and uses it in a way which is generally understood as acceptable (possibly with the help of the legal department). • B uses the code. • A thinks that B is infringing. An argument involving lawyers ensues. • A judge, who probably doesn’t know about FOSS decides who’s right.
  • 17. Ultimately… A developer may have a pretty good idea of what permissions they want attached to their code, and what outcome they want for certain code combinations…. … but that clarity will be destroyed because the message is filtered through lawyers, the uncertain legal system (which differs between jurisdictions) and the ultimate arbiter is a judge, who may well know nothing about FOSS.
  • 18. Is there a solution? • The law already acknowledges that the legal rights and obligations can be created without using natural language (e.g. derivatives). • Is it possible to remove the requirement that natural language is the only medium by which the rights and obligations of FOSS licences can be determined? • Can developers select a set of rights they want to apply to their code, and then an agreed algorithm determines how software interactions and compliance materials must be generated? • Can compliance (or at least a subset of it) become deterministic? • This won’t be perfect, but a developer may well settle with it being right 95% if the time.
  • 19. Such an algorithm… • Must provide consistent and reproducible results. • Must have a mechanism for being updated as practice evolves. Challenges • How to deal with fair use/fair dealing? • As law becomes code (in the Lessig sense) how do we guard against bad actors manipulating governance or the algorithm. • How do we transition existing code into the algorithmic licence?
  • 20. Conclusion • Compliance is getting more complex as the sheer number of components increases. • New technologies (containerization etc.) compound this • Compliance MUST be automated. There is great progress in this area. OpenChain, SPDX, REUSE frameworks, and technology from FOSSology, Scancode, SW360 and many more, including proprietary vendors, are making huge strides. • However, compliance is still, in part, an art, not a science. • The essence of open source is reducing friction. Can we reduce friction further by looking at the licensing process itself?
  • 21. Open Source Software Licence Compliance: Art or science? Andrew Katz, CEO, Orcro Limited and Partner, Moorcrofts LLP