Upload
black-duck-software
View
1.899
Download
3
Tags:
Embed Size (px)
Citation preview
Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues
Peter Vescuso
Black Duck Software
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 2
Agenda
OSS in Mobile Trends
Application Developers– Basics of OSS licenses
– License considerations
– Resources
Device Manufacturers– Issues/Complexity/Supply chain
– What’ Inside Gingerbread
– Best Practices
Summary
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Open Source Drives Mobile Innovation
Over 3,800 new OSS projects in 2010, doubling each of the last 3 years
94% of new projects that specify a platform are targeting Android and Apple/iOS
Open source has redefined the mobile industry and is spreading far beyond
0
1000
2000
3000
4000
2005 2006 2007 2008 2009 2010
New Mobile OSS Projects
Android
55%
Apple iOS
39%
Windows
2%
Blackberry
2%
Palm/Web OS
1%Symbian
1%
Meego/Maemo
0%
New 2010 FOSS Projects by Platform
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Forecast: Mobile Communications Device Open OS Sales to End Users by OS (Market Share)
OS 2009 2010 2011 2014
Symbian 46.9 40.1 34.2 30.2
Android 3.9 17.7 22.2 29.6
RIM 19.9 17.5 15 11.7
Apple iOS 14.4 15.4 17.1 14.9
Windows 8.7 4.7 5.2 3.9
Other 6.1 4.7 6.3 9.6
Total 100 100 100 100
Source: Gartner (August 2010)
Android is a Huge Market Opportunity
0
5
10
15
20
25
30
35
40
45
50
1 2 3 4
Symbian
Android
RIM
Apple iOS
Windows
Other
2009 2010 2011 2014
Gartner: Android to become #2 Worldwide Mobile Operating System in 2010, #1 Position by 2014
Android is powering more than smartphones….
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 5
Android Devices: Phones, Tablets, eReaders, Autos, more…..
HP Touchpad
Lenovo LePadAutomobile: Android powered SaaB
Dell StreakDroid by Motorola Samsung Galaxy
HTC Evo Shift
Barnes & Noble Nook
Motorola Xoom
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Android Compliance is a Growing Concern
Source: //www.codon.org.uk/~mjg59/android_tablets/
“The vast majority of Android tablets I've been able to find are shipping without any source being made available, and that includes devices from well-known vendors. “ Matthew Garrett, Red Hat, Linux Kernel Developer
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 7
Agenda
OSS in Mobile Trends
Application Developers– Basics of OSS licenses
– License considerations
– Resources
Device Manufacturers– Issues/Complexity/Supply chain
– What’ Inside Gingerbread
– Best Practices
Summary
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Types of Open Source Licenses:Reciprocal vs. Permissive
Reciprocal (aka Copyleft).
– Requires licensee to make improvements or enhancements available under similar terms.
– Example is the GPL: Licensee must distribute “work based on the program” and cause such works to be licensed at no charge under the terms of the GPL.
Permissive.
– Modifications/enhancements may remain proprietary.
– Distribution in source code or object code permitted provided copyright notice & liability disclaimer are included and contributors’ names are not used to endorse products.
– Examples: BSD, Apache Software License.
Most Popular Mobile OSS Licenses
1 GPL
2 LGPL
3 MIT
4 Apache
5 BSD
6 Microsoft
7 Artistic
8 Eclipse
9 Common Public lIcense
10 Mozilla
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
The OSS License Continuum
Permissive
GPL LGPL MPL
MIT
Apache
BSD
Stronger Copyleft
Permissive licenses
Restrictive
Weaker Copyleft
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Potential License Conflicts
Proprietary licenses.– Pay a fee
– Most don’t provide source
Many OSS licenses allow restrictions on end users (Apache 2), but GPL does not
Some OSS licenses contain patent termination clauses
GPLv3 resolved incompatibilities with Apache.
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
App Stores and FOSS Licenses
GPL licensed app’s can not be distributed through the Apple iTunes Store (or any store that imposes restrictions)– Apple ToS (terms of service) require that all software be licensed
for use on a single device only
– “Copylefted software can’t be un-freely relicensed, so it can’t be transacted for under Apple’s current ToS” Eben Moglen, SFLC
– Just like GPLv2, GPLv3 prohibits distributors from placing additional restrictions on the software through legal documents or similar means” Brett Smith, Free Software Foundation
Android stores– “So far as we know…the Google Android market… do not place any
limitation on how a market participant’s application is licensed that would inhibit distributing Android applications in the market under copyleft licensing.” Eben Moglen, SFLC
Permissive licenses (e.g., Apache, MIT, BSD) appear to be compatible with app store ToS
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Resources
Webinar-based education:– //www.blackducksoftware.com/webinars/legal/
– Introduction to Open Source Licenses
– Understanding the Top 10 Open Source Licenses
– Unraveling the Complexities of the GPL
Black Duck Android white paper & webinar– //www.blackducksoftware.com/android
– //www.blackducksoftware.com/webinars/legal/android.html
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 13
Agenda
OSS in Mobile Trends
Application Developers– Basics of OSS licenses
– License considerations
– Resources
Device Manufacturers– Issues/Complexity/Supply chain
– What’ Inside Gingerbread
– Best Practices
Summary
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Issues for Device Manufacturers
How to control and manage building software on a rapidly changing open-source operating system with development forks, governed by multiple licenses against an aggressive release cycle?
Uses the GPLv2 licensed Linux kernel
Grown to a collection of ~165 different sub-components
Written under ~19 different open source licenses
Includes licenses that are reciprocal, and not all OSI-approved
Rapid change – averages a major release every 3 ¼ months
Typical concerns about Android:
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Android & Vendor Innovation
Developers
Typical areas of vendor/developer innovation
Source: Google - //source.android.com/
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
What’s Inside Android?
Android 2.3 (“Gingerbread”)
165 Projects– 83 are “External”
– Does not include Kernel Mirror
Total Size– Over 80,000 Files
– Over 2GB total size
– Does not include Kernel Mirror
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 17
A Look Inside Two Android Components: Bionic & Webkit
License types in: Bionic
BSD 2.0*CMU LicenseCryptix LicenseFree clauseFreeBSDHistorical free INRIA OSLIntel OSLInternet Software ConsortiumMITPublic DomainPython InfoSeek
X.Net License
License types in: Webkit
BSD 2.0David M. Gay LicenseGPL 2.0ICU LicenseLGPL 2.1*MIT License V2MIT v2 with Ad Clause LicenseMozilla Public License 1.1PCRE LicensePublic DomainSWIG LicenseThe wxWindows Library Licensezlib/libpng License
*Declared license
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Android 2.3: The Ingredients for “Gingerbread”
Licenses– Declared license: Apache 2.0
– Components reference 19 different licenses
– External components
Linux, Webkit use reciprocal licenses (GPLv2, LGPL)
– Other components: more than 30 of them use reciprocal licenses (GPL, LGPL, CPL, etc.)
e.g. dbus, grub, emma, e2fsprogs, bluez, Bison
– Non-OSI approved licenses are used, including OpenSSL and Bzip2
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Managing FOSS in the Mobile Ecosystem and Software Supply Chain
Typical Smartphone has over 300 components
OS/Software Stack/Device
Corporate-Owned IPProprietary/Licensed IPFOSSOutsourced developmentMulti-level supply chains
Out Source/Offshore
Your Company
19
XMLSecurityNetworkingEmailGraphicsDatabaseWeb ServicesMany more…
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Meeting Open Source License Obligations
There is no "mobile device" or small appliance exception which alters obligations under open source licenses
When there is an obligation to provide source code, the obligation is met only by providing the source code for the specific device that is owned by the person requesting the code
The benefits of an open platform place the burdens of compliance on every vendor that ships the platform
There is no “downstream defense for upstream” violations
Managing complexity requires the establishment of consistent processes
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Legal and IP Issues Depend on Your Position in the Ecosystem
Middleware, component developer– Integration of your code with FOSS has implications for
your IP
– How downstream customers use your code may impact your IP
Device manufacturer– Responsible for the entire bundle of components from
suppliers
– Device driver code– open source it or not?
Application developer– Integration of your code with FOSS has implications for
your IP
– Also impacts distribution options
Integration
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Software Package Data Exchange™ (SPDX™)
Working group of FOSSBazaar(governance best practices group under Linux Foundation)
Charter:
Create data exchange standards to enable license and component information sharing (metadata)
Participation from over 16 organizations including software, systems and tool vendors, consultants and foundations
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Best Practices for Managing Android
Adopt and enforce an open source and third-party code policy
Identify and track all external code that is used
Automate validation at the point of acquisition and development
Automate monitoring and tracking of Android components
Control the use of components and promote standardization
Use automation tools to produce complete Bills of Material and reports for supply chain partners
Policy Process Technology
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Summary
Android is highly successful and is changing the mobile and device landscape
Like many FOSS projects, there is complexity inside
The legal and IP issues depend on your role in the mobile supply chain/ecosystem
Effective management and control requires training, tools, and processes
Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
Information Resources
Mark Radcliffe’s blog on the Bionic library:
“Android and the Kernel: It’s not that simple”– //lawandlifesiliconvalley.com/blog/?p=593
Black Duck Android white paper & webinar– //www.blackducksoftware.com/android
– //www.blackducksoftware.com/webinars/legal/android.html
Email: [email protected]