antelink project, ow2con11, nov 24-25, paris
DESCRIPTION
TRANSCRIPT
Management of open source licenses...
Freddy MunozAntelink
[email protected]: @drfmunozⒸ Antelink S.A.S - 2011
Antelink
Antelink
Antelink
Open Source Management
Antelink team of 7
Antepedianew projectsevery day
files
1K+500M+1M+ projects
data files44Tb+
“The world’s largest knowledge base”
Why open source?
thousands of enterprise-ready
open source projects
Why open source?
thousands of enterprise-ready
open source projects
Why open source?
thousands of enterprise-ready
open source projects
Why open source?
thousands of enterprise-ready
open source projects80%reuse open source software
of companies
Why caring about license
issues?
Why caring about license
issues?
Why is it hard to handle licenses?
1I want it to be
GPL… or LGPL… or BSD
Respect the author’s wishes
Googlehttp://ossproduct.comOpen Source Product
Product
Open Source Product shipped with the EPL license
Open Source Product
2 License data may not be reliable
GPL V2
Product
License Agreement
LGPL
Licenses change over time
Licenses change over time
License data may be
inconsistenthttp://jwebmail.sourceforge.net/news.html
http://sourceforge.net/projects/jwebmail/
http://jwebmail.sourceforge.net/about.html
License data may be
inconsistenthttp://jwebmail.sourceforge.net/news.html
http://sourceforge.net/projects/jwebmail/
http://jwebmail.sourceforge.net/about.html
License data may be
inconsistenthttp://jwebmail.sourceforge.net/news.html
http://sourceforge.net/projects/jwebmail/
http://jwebmail.sourceforge.net/about.html
License data may be
inconsistenthttp://jwebmail.sourceforge.net/news.html
http://sourceforge.net/projects/jwebmail/
http://jwebmail.sourceforge.net/about.html
3 Non compliance = Serious implications
Lawsuits
Material loss
Injunctions
IP violation
Devaluation
The BusyBox case
Firmware BusyBox
GPLv2
BusyBox included in the firmware
firmware
HDTV
Westinghouse includes BusyBox into its HDTV
December 14th 2009
BusyBox fills a lawsuit against Westinghouse
v/s
Settlement: Westinghouse
assessed damages,
lost revenue,and lost
inventory
August 3rd 2010 - Settlement: Westinghouse assessed $150.000 in damages , lost revenue, and millions of dollars of inventory lost (all HDTV were donated to charity)
How to handle this
(issue)?
Manual
Tool based proactive
Tool based reactive
Three approaches
Manual Approach
Keep track of components
Product
Keep track of components
Product
Maintain a list of licenses... check it manually
Product
Maintain a list of licenses... check it manually
Product
Components Checklist
The Problem: too time consuming
Tracking licenses
Work
Tool Approach : Reactive
You build your software
Heuristicsspecs
Developer
You build your software
Heuristicsspecs
Developer Software factory
Product
Final product
Someone audits your software
$ $
Product
Someone audits your software
$ $
Product
component A …………… GPLcomponent B…………….BSD
License issue = re-develop$ $
Heuristicsspecs
Developer Software factory
Product
Final product
License issue = re-develop$ $
component A …………… GPLcomponent B…………….BSD
Heuristicsspecs
Developer Software factory
Product
Final product
Product
The problem: you already
built the software...
Tool Approach : Proactive
You build your software
Heuristicsspecs
Developer Software factory
Product
Final product
Iteratively detect license data
Heuristicsspecs
Developer
Iteratively detect license data
Heuristicsspecs
Developer
Open Source report
Iteratively detect license data
Heuristicsspecs
Developer Software factory
Open Source report
Iteratively detect license data
Heuristicsspecs
Developer Software factory
Open Source report Open Source report
Iteratively detect license data
Heuristicsspecs
Developer Software factory
Product
Final product
Open Source report Open Source report
Iteratively detect license data
Heuristicsspecs
Developer Software factory
Product
Final product
Open Source report Open Source report Open Source report
For example.... in your Git repo
Heuristicsspecs
Developer
For example.... in your Git repo
Heuristicsspecs
Developer
For example.... in your Git repo
Heuristicsspecs
Developer
For example.... in your Git repo
Heuristicsspecs
Developer
Open Source report
For example.... on your IDE
Filename
BSD
CPL 1.0
Version
Antlr
EPIC-
-
CPL 1.0
1.3
antlr-3.jar 3.0
Commons Loggingcommons-logging.jar Apache License 2.0
License
new_wizard_back.gif
Project
JunitTestCase.java
This empowers
everyone to
comply with licenses
It’s like bug detection... early is better
Product
Final product
Heuristicsspecs
Developer Production environment
cost
$
Lifecycle phase
Rem
edia
tion
cost
of a
lic
ense
orv
ulne
rabi
lity
issu
e
Software factory
Code Test & Build PackageDeliver
Deploy
Prevention instead of
correction
Tools
GoogleCode
55%
31%
5%Maven Central
CodePlex
SourceForge
JBoss
Other
Debian
4%
Antepedia
Eclipse
Apache Arch
Heuristicsspecs
Product
?