Transcription
Open Source ComplianceBKMs* and a few WKMs*Andrew Wilson, Open Source Strategist28-May-2013*Best Known Methods, Worst Known Methods
Introductions SW developer, venture capitalist, open source enthusiast since 1990 Director of Intel’s internal OSS* approval process since 2008 Not a lawyer and this is not legal advice Today’s agenda is not a deep dive:–What you want to accomplish–What you want to avoid–Some known pitfalls–Some known solutions Q&A2*includes Free, Libre, and OpenSource SW
Quick OSS conceptual refresher Open source is not public domain Open source is copyrighted SW used only under license The basic OSS bargain: you may use valuable SW, possibly for free,but only under set terms and conditions Ts and Cs might be simple (BSD, Apache) or complex (GPL, EPL);they must be followed3
Things you want to accomplish Be (and be seen by the community as) a responsible user Be (and be seen by the community as) a good contributor Use your company’s IP responsibly4
Things you want to avoid Loss of your corporate reputation Easy to lose, hard to restore Legal challenges Unpleasant surprises about your own copyrights, patents, tradesecrets, or trademarks5
Some not so good ideasEdsel image http://1957timecapsule.wordpress.com
WKM #1: assume everyone knows what they’redoing Why this is not a good assumption Engineers SW licensing & IP basics not typically taught in engr. school Grew up in the golden age of plagiarism Thought experiment: How much audio/video is on your engineers’ personalsystems, and where did it all come from? Lawyers 7Few experienced OSS lawyers, few court precedents; much technobabbleto decode
WKM #2: do not manage your suppliers Suppliers – even large & sophisticated – may still be low on OSSlearning curve Suppliers have their own outsourcing suppliers and may unwittinglybe “passing the trash” If you must turn to a supplier to fix an urgent OSS complianceproblem, it may already be too late8
WKM #3: no OSS process; undocumented process;manual process only No process you will screw up You probably already have screwed up and may not know it yet Undocumented process no consistency or fairness Manual process only process is unreliable and does not scale9
WKM #4: selective, grudging compliance “We would use your SW but think fooPL is a bad license. Pleasechange your license to barPL to accommodate us.” “We think your interpretation of fooPL is wrong, and our outsidecounsel (with no previous OSS experience) agrees.” “Fubar Inc. doesn’t open source its Linux drivers, therefore we don’thave to, either.” “We don’t like any current open source licenses so we wrote our own.” Selective compliance is in some ways worse than no compliance Public arguments with developers only hurt you, never help10
Some much better ideasLotus 72 image source: Wikimedia Commons
BKM #1: training Bumper sticker wisdom: “If you think education is expensive, try ignorance” – Derek Bok Make good quality open source training available to all who need it Good quality Crisp and actionable (i.e. good for engineers) Based on your best legal interpretation Consistent with community practice (free plug) LF compliance training is an excellent resource12
BKM #2: crisp directions for suppliers Standard purchasing contract should require full disclosure of OSSdeliverables Acceptance criteria (preferably tied to milestone payments) shouldinclude OSS source code drops Always validate GPL code from suppliers actually compiles! SPDX tagging will be a big plus to standardize SW BOMs13
BKM #3: documented OSS process using tools OSS compliance process should be baked in to the development &release cycle and documented appropriately Management should send message OSS compliance is “must have,”not “nice to have” Tools are never perfect but always more scaleable and repeatablethan manual methods. Consider:14 FOSSology license scanner Palamida, Black Duck anti-plagiarism scanner BAT binary tool (another free plug)
BKM #4: community-aware compliance Legal theorizing is interesting, but Always behave as if what the developer community thinks a licensemeans is what it means Use best efforts to follow community norms When you have choice of license, use one of the 5-6 most popularOSI approved. Eschew esoterica.15
BKM #5: have an emergency plan Even with all BKMs firing, there will be mistakes Identify your open source compliance emergency response team Legal Engineering Press/PR Call the open source ERT for all reported compliance issues – real orimagined Do not go silent. Answer questions; provide responses to press,bloggers; take corrective action when needed16
We’re at the tail end!17
Questions!18
Open Source Compliance BKMs* and a few WKMs* Andrew Wilson, Open Source Strategist 28-May-2013 *Best Known Methods, Worst Known Methods . 2 . Palamida, Black Duck anti-plagiarism scanner BAT binary tool (another free plug) 15 BKM #4: community-aware compliance
