View
124
Download
3
Category
Preview:
Citation preview
Jan. 2012
Introduction ofFree/Open-source Software
Licenseand FOSSology
Ryan ChoJNR321
2013/09/11
Outline
PrefaceFree/Open Source License
History Basic Concept License Categories BSD/MIT, GPL/LGPL, MPL
FOSSology Introduction Result of License Scanning
ConclusionReference
3 Confidential Material for Internal Use Only
PrefaceHow do we programming?
4 Confidential Material for Internal Use Only
Preface
5 Confidential Material for Internal Use Only
Preface
Download&
Combine
6 Confidential Material for Internal Use Only
Preface
Open Source≠
Development Methodology
7 Confidential Material for Internal Use Only
Preface
Open Source=
License
Outline
PrefaceFree/Open Source License
History Basic Concept License Categories BSD/MIT, GPL/LGPL, MPL
FOSSology Introduction Result of License Scanning
ConclusionReference
9 Confidential Material for Internal Use Only
Free Open Source License - HistoryFree Software
coined in 1985 by Richard M. StallmanGNU operating system began in January 1984Free Software Foundation (FSF) was founded in
October 1985Moral and Spirit as keynote
10 Confidential Material for Internal Use Only
Free Open Source License - Basic ConceptSpirits of Free Software
Four Freedoms Freedom to run the program Freedom to study and adapt the program Freedom to redistribute Freedom to improve and feedback community
11 Confidential Material for Internal Use Only
Free Open Source License - HistoryOpen Source Software
Bruce Perens & Eric Steven RaymondOpen Source Initiative (OSI) 1998Eclecticism (折衷主義 )、 Commercial ThinkingQuality as keynote
12 Confidential Material for Internal Use Only
Free Open Source License - Basic ConceptDefinition of Open-source Software
Six Common Features Open source code No specific authorization object No restrictions on used region No fee for license No accompanying with guarantee Provide derivative works to others
13 Confidential Material for Internal Use Only
Free Open Source License - Basic ConceptFree SoftwareOpen Source Software, OSSFree/Open Source Software, FOSSFree/Libre/Open Source Software, FLOSS
14 Confidential Material for Internal Use Only
Free Open Source License - Basic ConceptSimilar terms
Freewave (免費軟體 ) Free to use, no source code
Shareware (共享軟體 ) Usually free to use with time or features limitation, no source code Commercial version for sale
Public Domain (公共財軟體 ) intellectual property rights have expired, have been forfeited, or are inapplicable.
15 Confidential Material for Internal Use Only
Free Open Source License CategoriesDifferent contents of free license terms
Proprietary Software License
GPL LGPL
AGPL
EPL/CPL
MPL/CDDL
Apache 2.0
MIT/BSDPublic
Domain
16 Confidential Material for Internal Use Only
License Categories – BSD/MITCopyright (c) <year>, <copyright holder>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the <organization> nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (C) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
BSD
MITC
D
C
D
17 Confidential Material for Internal Use Only
License Categories – BSD/MITC + D
C: Copyright Notice (著作權聲明 )D: Disclaimer (免責聲明 )Users have large scale of usage rights and small amount of obligations
Suggestion to be marked atSource code
Files: README, LEGAL, LICENSEApplication
“About” labelEmbedded system devices
User manual
18 Confidential Material for Internal Use Only
License Categories – BSD/MIT
19 Confidential Material for Internal Use Only
Free Open Source LicenseCopyleft
Achieve four freedomsCopyright-basedPre-authorize out the rightsUsers need to authorize their works with the same method
Open my source code for you to modify, you need to open yours with the same rules
Authorizationconstraints
20 Confidential Material for Internal Use Only
License Categories - GPLGNU General Public License v. 1 (1989)GNU General Public License v. 2 (1991)GNU General Public License v. 3 (2007)Authorization constraints
Viral Effect(授權感染性 )License Capture(授權獲取性 )License Reciprocal(授權互惠性 )License Inheritance(授權繼承性 )
Freedom, Sharing, Reciprocal. We always have to DO this!
21 Confidential Material for Internal Use Only
License Categories - GPLGPL Schematic diagram
GPL Program
New Program
Modified or Linking
GPL Program
22 Confidential Material for Internal Use Only
License Categories - GPLWorks Based on the Program
1. Modified A (GPLed) --> A’(GPLed)
2. Used A + B-portion (GPLed) --> A’(GPLed)
3. Linking A + B (GPLed) --> C (GPLed)
23 Confidential Material for Internal Use Only
License Categories – GPLGPL authorization constraints
A
GPLed A Program B Program
B
Object codeSource code
C
Want to modify
Provideobject code
Ask forsource code
B has obligation to provide source code to
C
Distribution!!!
24 Confidential Material for Internal Use Only
License Categories – GPLGPLv2 vs. GPLv3
Principle: Incompatible with each other Internationalization: v3 used new terminology, rather than using language tied to
US legal concepts Patents: v3 specifically address patents “Tivo-ization”: v3 address the restrictions (like Tivo’s) in consumer products that
take away, though hardware, the ability to modify the software– DRM: v3 address digital rights management
Termination: v3 addressed specifically what happens if the license is violated and the cure of violations
Exception “GPL version 2 or later” → “GPLv3”
Matrix of GPL compatibility All Compatibility of GPL
25 Confidential Material for Internal Use Only
License Categories - LGPLGNU Lesser General Public License v. 2 (1991)GNU Lesser General Public License v. 2.1 (1999)GNU Lesser General Public License v. 3 (2007)
GNU Library General Public License
26 Confidential Material for Internal Use Only
License Categories - LGPLLGPL Schematic diagram
LGPL Library
New Library
Modified
LGPL Library
27 Confidential Material for Internal Use Only
License Categories - LGPLLGPL Schematic diagram
LGPL Library
New Program
Linking
New Program
28 Confidential Material for Internal Use Only
License Categories - LGPLWorks Based on the Program
1. Modified A (LGPLed) --> A’(LGPLed)
2. Used A + B-portion (LGPLed) --> A’(LGPLed)
3. Linking A + B (LGPLed) --> A + B (LGPLed)
29 Confidential Material for Internal Use Only
License Categories – GPL/LGPLOpening of GPL authorization constraints
Criteria: Distribution behaviorOccurred obligation: Provide source codeNo distribution behavior, no source code providing
ASP (Application Service Provider)– Does not be restricted by GPL
30 Confidential Material for Internal Use Only
License Categories – AGPLAGPL
AGPL-3.0, GNU Affero General Public License 3.0 ASP (Application Service Provider) Provides network services = distribution behavior, you must provide source code Except the term XIII, the others is the same as GPLv3
31 Confidential Material for Internal Use Only
License Categories - AGPLAGPL Schematic diagram
AGPL Program
New Program
Combined / Closely related
AGPL Program
32 Confidential Material for Internal Use Only
License Categories – GPL/LGPL
33 Confidential Material for Internal Use Only
License Categories - MPLMozilla Public License 1.1Common Development and Distribution License 1.0Common Public License 1.0 / Eclipse Public License 1.0
34 Confidential Material for Internal Use Only
License Categories - MPLMPL Schematic diagram (File-separated)
MPL Program
XY
YX
X
X
X
Y
Y
Y X
MPL Program
MPL LicenseX LicenseY License
Compatibility between the License Terms
35 Confidential Material for Internal Use Only
License Categories - MPLMPL authorization constraints
Partial constraintsCopyleft only for original scope of authorization
Do not affect to infect my codesMPL/CDDL (Files)
Object files comes from MPL/CDDL files need to use MPL/CDDL Our own source code is up to ourselves
EPL/CPL (Modules) Our own Independent module is up to ourselves
36 Confidential Material for Internal Use Only
License Categories – MPL/CDDL
37 Confidential Material for Internal Use Only
License CategoriesDifferent Marker, Different Purpose
BSD - Academic institutions - ReputationGPL - Software Developers - Research
Others - Commercial - Benefit
38 Confidential Material for Internal Use Only
FOSS License CategoriesCommon License Term Sheet
Categories License Terms Full NameBSD class Apache 1.1 Apache Software License 1.1
Apache 2.0 Apache License 2.0BSD New BSD LicenseMIT MIT LicenseZlib/libpng Zlib/libpng License
GPL class GPL GNU General Public License 2.0/3.0LGPL GNU Lesser Public License 2.1/3.0AGPL GNU Affero Public License 3.0
Other class CPL/EPL Common Public License 1.0 / Eclipse Public License 1.0MPL Mozilla Public License 1.1CDDL Common Development and Distribution License 1.0QPL Qt Public License 1.0Artistic 2.0 Artistic License 2.0
39 Confidential Material for Internal Use Only
FOSS License CompatibilityAn arrow from box A to box B
We can combine software with these licensesCombined result - effectively has the license of B, possibly with additions
from A
A B
40 Confidential Material for Internal Use Only
FOSS License Compatibility (in Principle) Is it possible to exist different licenses in one program?
◎: it is compatible, it can exist two types of license at the same time◇: it is compatible, but replaced by Green item and eliminated Blue item△: it is compatible, this is special coexisted case for MPL and GPLX: it is not compatible
GPL MPL BSD Specific
GPL × × ◇ ×MPL △ ◎ ◎ ◎BSD × ◎ ◎ ◎Specific × ◎ ◇ Agreement
Outline
PrefaceFree/Open Source License
History Basic Concept License Categories BSD/MIT, GPL/LGPL, MPL
FOSSology Introduction Result of License Scanning
ConclusionReference
42 Confidential Material for Internal Use Only
IntroductionFOSSology (http://fossology.org)
an open source compliance toolset that provides license and copyright discovery
Goal: Create a public open source software repository together with tools to maintain the repository and facilitate analysis, storage, and sharing of metadata
Find and manage licenses in code baseHewlett Packard (HP) initiate FOSSology.Open Source Project - FOSSology Team
Using FOSSologyInstallation - http://fossology.org/downloadOffical demo server at http://repo.fossology.org
43 Confidential Material for Internal Use Only
How FOSSology Works
Web GUI Repository
PostgreSQL Agents
filesstore
scan
store result
report
FOSSology
44 Confidential Material for Internal Use Only
Snapshot - Homepage
Menu
45 Confidential Material for Internal Use Only
Snapshot - Upload
select folderURL
select analysis
46 Confidential Material for Internal Use Only
Snapshot - Scanning ProcessScanning process
1. Log into the FOSSology UI
2. Upload compress file by localhost or URL into FOSSology
3. After uploading finish, FOSSology scheduled this new job
4. Job9 - Job11 is processed in sequence
5. Job 12 - Job15 is processed concurrently– Job 12: Copyright/Email/URL Analysis– Job 13: MIME-type Analysis (Determine mimetype of every file)– Job 14: Nomos License Analysis– Job 15: Package Analysis (Parse package headers)
47 Confidential Material for Internal Use Only
Snapshot - Scanning ResultExample
package name: inadyn
48 Confidential Material for Internal Use Only
Open Source Software Analysis ToolsFOSSology Black Duck Palamida
Penetration Developed and used by HP Used By Intel, Samsung, AIRBUS Used By IBM, Borland, eclipse
Maturity of software Released in 2008, currently at version 2.0.0 Existed since 2002 Developed since 2003
Technologies used Includes a full web UI using PHP and postgresql. It also includes CLI. Unknown Java
Cost Open Source Paid for service Paid for service
Portability Web application Web application Web application
License GPLv2 / LGPL for some libraries None (Commercial) None (Commercial)
Functions
• Upload software file or any kind of compressed package.• Find licensees in all files based on their license headers• Find copyright notices in all files•Put files in buckets, for example a GPL bucket• Does not do any analyze according to a policy for which licenses to use.
• Searches files for licenses based on license text•Searches files for licenses based on method context• Find license incompatibilities in FOSS• Supports SPDX• Find vulnerabilities in the FOSS used• Searchable codebase for finding proper FOSS• Black Duck releases updates every 3-4 weeks of their KnowledgeBase
• Analyze headers for licenses• Analyze files or chunks of code against a global database consisting of open source software to find undocumentedFOSS.• Scans and finds vulnerabilities as well as licenses
49 Confidential Material for Internal Use Only
ConclusionAccording to the scanning result, there are some license types
need to take careGPL-related LicenseSee-doc (OTHER)
Possible solutionsOtherwise authorized by original authorReplace GPL-related packageRelease GPL-related partial codeRewrite code
Check License before Using!Standing upon the shoulders of giants to develop!
50 Confidential Material for Internal Use Only
ReferenceWikipedia
Free SoftwareOpen-source SoftwareGNU General Public LicenseBSD License
Software License Introduction軟體的授權觀念與自由軟體授權條款介紹
OpenFoundary – FOSSology授權條款比較表(原始\修改程式)
GPL FAQ
Recommended