antelink project, ow2con11, nov 24-25, paris

Management of open source licenses...

Freddy MunozAntelink

[email protected]: @drfmunozⒸ Antelink S.A.S - 2011

mailto:[email protected]

mailto:[email protected]

Antelink

Antelink

Open Source Management

Antelink team of 7

Antepedianew projectsevery day

files

1K+500M+1M+ projects

data files44Tb+

“The world’s largest knowledge base”

Why open source?

thousands of enterprise-ready

open source projects

Why open source?

thousands of enterprise-ready

open source projects80%reuse open source software

of companies

Why caring about license

issues?

Why caring about license

issues?

Why is it hard to handle licenses?

1I want it to be

GPL… or LGPL… or BSD

Respect the author’s wishes

Googlehttp://ossproduct.comOpen Source Product

Product

Open Source Product shipped with the EPL license

Open Source Product

2 License data may not be reliable

GPL V2

Product

License Agreement

LGPL

Licenses change over time

License data may be

inconsistenthttp://jwebmail.sourceforge.net/news.html

http://sourceforge.net/projects/jwebmail/

http://jwebmail.sourceforge.net/about.html

http://jwebmail.sourceforge.net/news.html

http://jwebmail.sourceforge.net/news.html





3 Non compliance = Serious implications

Lawsuits

Material loss

Injunctions

IP violation

Devaluation

The BusyBox case

Firmware BusyBox

GPLv2

BusyBox included in the firmware

firmware

HDTV

Westinghouse includes BusyBox into its HDTV

December 14th 2009

BusyBox fills a lawsuit against Westinghouse

v/s

Settlement: Westinghouse

assessed damages,

lost revenue,and lost

inventory

August 3rd 2010 - Settlement: Westinghouse assessed $150.000 in damages , lost revenue, and millions of dollars of inventory lost (all HDTV were donated to charity)

How to handle this

(issue)?

Manual

Tool based proactive

Tool based reactive

Three approaches

Manual Approach

Keep track of components

Product

Maintain a list of licenses... check it manually

Product

Maintain a list of licenses... check it manually

Product

Components Checklist

The Problem: too time consuming

Tracking licenses

Work

Tool Approach : Reactive

You build your software

Heuristicsspecs

Developer


Heuristicsspecs

Developer Software factory

Product

Final product

Someone audits your software

$ $

Product

Someone audits your software

$ $

Product

component A …………… GPLcomponent B…………….BSD

License issue = re-develop$ $

Heuristicsspecs


Product

Final product

License issue = re-develop$ $

component A …………… GPLcomponent B…………….BSD

Heuristicsspecs


Product

Final product

Product

The problem: you already

built the software...

Tool Approach : Proactive


Heuristicsspecs


Product

Final product

Iteratively detect license data

Heuristicsspecs

Developer


Heuristicsspecs

Developer

Open Source report


Heuristicsspecs


Open Source report


Heuristicsspecs


Open Source report Open Source report


Heuristicsspecs


Product

Final product

Open Source report Open Source report


Heuristicsspecs


Product

Final product

Open Source report Open Source report Open Source report

For example.... in your Git repo

Heuristicsspecs

Developer

For example.... in your Git repo

Heuristicsspecs

Developer

Open Source report

For example.... on your IDE

Filename

BSD

CPL 1.0

Version

Antlr

EPIC-

-

CPL 1.0

1.3

antlr-3.jar 3.0

Commons Loggingcommons-logging.jar Apache License 2.0

License

new_wizard_back.gif

Project

JunitTestCase.java

This empowers

everyone to

comply with licenses

It’s like bug detection... early is better

Product

Final product

Heuristicsspecs

Developer Production environment

cost

$

Lifecycle phase

Rem

edia

tion

cost

of a

lic

ense

orv

ulne

rabi

lity

issu

e

Software factory

Code Test & Build PackageDeliver

Deploy

Prevention instead of

correction

Tools

GoogleCode

55%

31%

5%Maven Central

CodePlex

SourceForge

JBoss

Other

Debian

4%

Antepedia

Eclipse

Apache Arch

Heuristicsspecs

Product

antelink project, ow2con11, nov 24-25, paris

Technology