This annual review will highlight the most significant legal developments related to open source software in 2019, including: •Evolution of open source: control, sustainability, and politics •Litigation update: Cambium and Artifex cases •Patents and the open source community •Impacts of government sanctions •The shift left for compliance and rise of bug bounty programs •And much, much more For more information, please visit https://www.synopsys.com/software-integrity/managed-services/open-source-software-audit.html

1. The 2019 Open Source Year in Review

2. © 2020 Synopsys, Inc. 2
Speakers
Phil Odence
General Manager, Black
Duck Audits at
Synopsys
Tony Decicco
Shareholder, GTC Law
Group & Affiliates
Mark Radcliffe
Partner, DLA Piper,
General Counsel for the
Open Source Initiative
(OSI)

3. © 2020 Synopsys, Inc. 3
Agenda
• Evolution of open source
• Recent litigation
• Patents and the open source community
• Update on business model glitches
• OpenChain becoming ISO
• Shift left for compliance and automation
• Bug bounty programs for open source
• Impact of government sanctions
• And more…

4. © 2020 Synopsys, Inc. 4
Evolution of open source
Who controls the definition of ‘open source’
Rise of ‘political’ use of open source software

5. © 2020 Synopsys, Inc. 5
• Open source community: We won, but now the control of the definition of “open source” is
valuable
– SSO vs. open source development methods
– Open core companies
– Political activists
• Open source as a political statement
– Chef developers vs. Chef management on ICE contract
– Hippocratic License (requiring compliance with United Nations Universal Declaration of Human Rights)
• Sustainability of open source projects
– Keeping personnel
– Funding
– New options for project organization
– Eclipse
– Linux Foundation
Open source at a crossroads

6. © 2020 Synopsys, Inc. 6
Recent litigation

7. © 2020 Synopsys, Inc. 7
Case number 4:19-cv-05764, in the US District Court for the Northern District of California, filed Sept. 13, 2019
Artifex Software Inc. v. Siemens Product
Lifecycle Management Software Inc.
Summary of facts and claims
• Artifex owns Ghostscript (reads PDFs and other formats), which is dual licensed (currently
AGPL and commercial)
• Siemens is alleged to have incorporated the AGPL (and/or earlier GPL) version of Ghostscript
into Solid Edge (design, simulation, manufacturing, and other development software)
• Siemens is alleged to have included a reference to the AGPL-licensed Ghostscript in its
README file for Solid Edge
• Siemens is alleged not to have made “accompanying” source code available, violating the
AGPL/GPL
• Artifex claims breach of contract (GPL v2/v3, AGPL) and copyright infringement
• Damages are unspecified, but Artifex has requested permanent injunctive relief, and
compensatory, statutory, and exemplary damages and accounting of all gains
• Siemens has not yet (as of early 2020) provided an answer to the complaint

8. © 2020 Synopsys, Inc. 8
Artifex Software Inc. v. Siemens Product
Lifecycle Management Software Inc.
Interesting notes
• Artifex appears to have been alerted to this use by a Solid Edge user who logged a bug
through Artifex’s Bugzilla bug-tracking system
• Artifex appears to place meaning and weight into how the user interacts with Ghostscript
through Solid Edge:
• Users do not interact with Ghostscript directly, only interacting through Solid Edge
• Users are not separately notified about the use of Ghostscript (other than the README
file)
• Users cannot opt out of the use of Ghostscript
• It is unclear from the initial complaint whether Artifex is arguing a breach because Siemens
failed to provide corresponding source code for Ghostscript or for the whole Solid Edge
product, but it appears that Siemens has provided notice and attribution of Ghostscript and
the source code for Ghostscript itself

9. © 2020 Synopsys, Inc. 9
Case number 1:18-cv-05369, in the US District Court for the Northern District of Illinois, filed Aug. 7, 2018
Ubiquiti v. Cambium
Summary of facts and claims
• Ubiquiti and Cambium are direct competitors in the wireless networking industry
• Ubiquiti sells several products under “M Series” branding
• Cambium sells a software solution, Elevate, which can be used with third-party hardware
(including M Series products)
• Elevate replaces the original firmware on M Series products
• Ubiquiti alleged that Cambium used Ubiquiti’s firmware as the starting point for Elevate, in
violation of Ubiquiti’s Terms of Use and Firmware License Agreement
• Ubiquiti alleges breach of contract, copyright infringement, DMCA violation, CFAA violation,
unfair competition, misappropriation, and RICO violation, among others
• Damages are unspecified, but include actual, exemplary, statutory, and treble, and request an
accounting of all gains

10. © 2020 Synopsys, Inc. 10
Ubiquiti v. Cambium
Interesting notes
• No open source-related claims made by Ubiquiti
• Ubiquiti’s Firmware License Agreement references open source code
Summary of Cambium’s defenses from First Amended Answer dated Dec. 26, 2019 (open
source–related only):
• Lack of standing
• Cambium argues that of 16,000+ files and 1.4 million lines of code, Ubiquiti authored only portions
of 18 files and that the minor modifications are not copyrightable
• Also raises Ubiquiti’s own license that states that the OSS is licensed directly from original
copyright holders (and not Ubiquiti)
• Laches / waiver / estoppel
• There was a two-year delay between the alleged violations and this cause of action
• Doctrine of release
• Cambium argues that the GPL supersedes Ubiquiti’s license terms for the firmware

11. © 2020 Synopsys, Inc. 11
Ubiquiti v. Cambium
Summary of defenses (continued)
• Unclean hands / breach of the GPL
• Ubiquiti is in breach of the GPL because through this lawsuit it attempts to impose conditions on
GPL-licensed code
• Good faith / bar based on promissory estoppel
• Since Ubiquiti lists such a large amount of GPL-licensed code that makes part of the
firmware, Cambium acted in good faith, thinking that all the code was GPL-licensed
• Bar or unenforceability based on GPL
• Cambium argues that Ubiquiti’s firmware is governed by the GPL
• Invalidity of contract
• Cambium argues that because it is impossible to determine which portions of the
firmware are subject to the GPL (using the materials provided by Ubiquiti at time of
contract), the contract is invalid, indefinite, or unconscionable

12. © 2020 Synopsys, Inc. 12
Ubiquiti v. Cambium
Reaction from the open source community
• Software Freedom Conservancy notes that it is following this case
• Companies using GPL as a weapon is different from SFC-style enforcement
• Neither company complies with the GPL
• Have not provided source in response to SFC requests (after 30 days)
• Ubiquiti was already known to SFC through complaints
• Cambium became known because of the suit
• SFC has opened enforcement actions (nonlitigation) against both

13. © 2020 Synopsys, Inc. 13
Patents and the open source community

14. © 2020 Synopsys, Inc. 14
• Patent licenses in open source licenses
– Can FRAND apply to open source licenses
– SSO vs. open source
• OIN / Microsoft / IBM / Linux Foundation combine to combat patent trolls
• GNOME Foundation & trolls
Patents & OSS: The odd couple

15. © 2020 Synopsys, Inc. 15
Update on business model glitches

16. © 2020 Synopsys, Inc. 16
• The problem
– Cloud providers are able to offer managed services by running
the open source component as a service as part of a larger paid
offering
– Initial approaches (reminder from 2018):
• Redis Labs
– For certain modules moved from AGPL to Apache v2.0 modified
with Commons Clause
• MongoDB
– Moved from AGPL to Server Side Public License (SSPL)
• Confluent
– For some components of the Confluent Platform moved from
Apache 2.0 to the Confluent Community License (CCL); does
not impact Apache Kafka
Glitch #1: Further try to close the ASP/cloud/hosting loophole

17. © 2020 Synopsys, Inc. 17
• The pushback
– New licenses not seen as “truly open source”
– Claims of “overreach” and commercializing
• The reaction
– Not “open source” but “source available”
– Redis Labs
– Abandons the Commons Clause due to “confusion”
– Introduces Redis Source Available License
– MongoDB
– No longer seeking approval of SSPL as an open source license
– Confluent
– No claims CCL is an open source license
Glitch #1: Pushback and reaction

18. © 2020 Synopsys, Inc. 18
Glitch #2: The open source / premium model
• The model
– Core product is open source
– Premium features are provided as paid “add on”
• The issue
– Contributors to open source projects can contribute features that are similar to the premium features
– Reducing (if not eliminating) ability to make money for premium features
• Examples
– Elastic (Elasticsearch)
– Created a three-tier system: open source, free under proprietary license, and commercial
– Amazon partnered with others to create Open Distro for Elasticsearch fork
– Contains components that are meant to replace functionality of proprietary offering from Elastic
– Elastic sued Amazon, claiming trademark infringement (over Amazon Elasticsearch Service)
– Amazon has denied the allegations and has argued that its use of the mark is fair use and also that it was granted a license to use the mark
– GraalVM
– Originated with Oracle Labs
– Community edition and Enterprise edition
– Enterprise edition offers lower memory footprint for microservices, faster performance, and enhanced security
– Most of Twitter’s infrastructure runs on GraalVM
– Twitter does not use the Enterprise edition
– Twitter continues to make (and contribute back) performance improvements

19. © 2020 Synopsys, Inc. 19
CLE credit code
J55412-2294

20. © 2020 Synopsys, Inc. 20
OpenChain becoming ISO

21. © 2020 Synopsys, Inc. 21
• What is it?
– Specification that identifies the key requirements of a good open source compliance program
– Certification that allows companies to show conformance
– Educational materials that help companies learn more about open source compliance
– Community to help answer questions and provide insight
– A project from the Linux Foundation with many industry leaders as members
• What is it not?
– A ready-to-implement one-size-fits-all process for open source review and compliance
• News
– Microsoft and Uber announce OpenChain conformance
– OpenChain will become an ISO standard in the first half of 2020 (in final approval stage)
– Goes from de-facto standard for compliance to a formal standard for compliance
• What this means
– Open source is growing up
– Expect more diligence requests and more compliance
– Expect it to be easier to perform diligence, leveraging others’ work
OpenChain specification

22. © 2020 Synopsys, Inc. 22
Shift left for compliance and automation

23. © 2020 Synopsys, Inc. 23
• Shifting “left”
– Move assessment and compliance process earlier in the development process
– Provide feedback earlier
– Make corrections before they become costly
– Changes culture of development team
• Why?
– 96% of audited codebases contained open source
– 60% of analyzed code was open source
– ~300 open source components per codebase (on average)
• How?
– Integrations
– Black Duck software composition analysis
• Automation
– Allows to auto-approve and auto-reject certain components
– Use automated policy engines and rules
– 80/20 rule: 80+ percent of components can be approved or denied based on bright-line rules
– Permissive licenses can be approved for virtually any use, but beware the “hidden patent license”
– Tempting to reject certain licenses, but almost every license can be approved under certain conditions (except maybe CCA-NonCommercial licenses)
Shifting ‘left’ and automation

24. © 2020 Synopsys, Inc. 24
Bug bounty programs for open source

25. © 2020 Synopsys, Inc. 25
• EU FOSSA 2
– Originally launched as a response to Heartbleed in 2014
– €850K (funded by EU) for 2019, targeting 15 open source projects
– By April: 300+ submissions, €90K paid out, €130K awaiting validation
– By end of year: 600+ submissions, 200 accepted, 26 high/critical, almost €200K in rewards
– 7-Zip, Apache Kafka, Apache Tomcat, Drupal, DSS, FileZilla, FLUX TL, glibc, KeePass, midPoint, Notepad++, PHP Symfony,
PuTTY, VLC, and WSO2
• Internet Bug Bounty
– Has awarded $731K+ in bounties to 200+ hackers for uncovering 800+ flaws
– 501(c)(3) nonprofit, sponsored by individuals and organizations
– Founded by HackerOne, but sponsored by Facebook, Microsoft, GitHub, Ford Foundation
• Microsoft
– ElectionGuard: $15,000 awards for high-impact vulnerabilities in open source SDKs to make voting more secure
• Criticism
– Funding bounty programs prioritizes identifying bugs, not fixing them
– FOSSA 2 offers 20% bonus when bug is fixed, incentivizing solutions
• Commercial offerings
– Companies that provide a crowdsourced solution to finding vulnerabilities, for a fee
Bug bounty programs

26. © 2020 Synopsys, Inc. 26
Impact of government sanctions

27. © 2020 Synopsys, Inc. 27
• Department of Commerce Bureau of Industry and Security (BIS) placed Huawei Technologies
Co., Ltd. and 68 non-U.S. affiliates on the Entity List
– Results: Companies may not export, reexport, or transfer any items subject to Export Administration
Regulations (EAR) to Huawei except in the four areas (reduced to three in August 2019) in which BIS
issued a Temporary General License, or if BIS grants a specific license
• Most OSS is not subject to EAR, because the source code is disclosed, but “private discussion
lists” particularly relating to cyber security may be different
• Google terminates “Android” license (and Google Services) to Huawei, and Huawei turns to
AOSP
• Huawei announces its intention to build alternatives to Google Services
Trade war comes to open source

28. Thank You