Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance...

Managing Android and the Complexity Inside: Understanding the Open Source License and Compliance Issues

Peter Vescuso

Black Duck Software

Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 2

Agenda

OSS in Mobile Trends

Application Developers– Basics of OSS licenses

– License considerations

– Resources

Device Manufacturers– Issues/Complexity/Supply chain

– What’ Inside Gingerbread

– Best Practices

Summary

Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.

Open Source Drives Mobile Innovation

Over 3,800 new OSS projects in 2010, doubling each of the last 3 years

94% of new projects that specify a platform are targeting Android and Apple/iOS

Open source has redefined the mobile industry and is spreading far beyond

0

1000

2000

3000

4000

2005 2006 2007 2008 2009 2010

New Mobile OSS Projects

Android

55%

Apple iOS

39%

Windows

2%

Blackberry

2%

Palm/Web OS

1%Symbian

1%

Meego/Maemo

0%

New 2010 FOSS Projects by Platform


Forecast: Mobile Communications Device Open OS Sales to End Users by OS (Market Share)

OS 2009 2010 2011 2014

Symbian 46.9 40.1 34.2 30.2

Android 3.9 17.7 22.2 29.6

RIM 19.9 17.5 15 11.7

Apple iOS 14.4 15.4 17.1 14.9

Windows 8.7 4.7 5.2 3.9

Other 6.1 4.7 6.3 9.6

Total 100 100 100 100

Source: Gartner (August 2010)

Android is a Huge Market Opportunity

0

5

10

15

20

25

30

35

40

45

50

1 2 3 4

Symbian

Android

RIM

Apple iOS

Windows

Other

2009 2010 2011 2014

Gartner: Android to become #2 Worldwide Mobile Operating System in 2010, #1 Position by 2014

Android is powering more than smartphones….


Android Devices: Phones, Tablets, eReaders, Autos, more…..

HP Touchpad

Lenovo LePadAutomobile: Android powered SaaB

Dell StreakDroid by Motorola Samsung Galaxy

HTC Evo Shift

Barnes & Noble Nook

Motorola Xoom


Android Compliance is a Growing Concern

Source: //www.codon.org.uk/~mjg59/android_tablets/

“The vast majority of Android tablets I've been able to find are shipping without any source being made available, and that includes devices from well-known vendors. “ Matthew Garrett, Red Hat, Linux Kernel Developer


Agenda




– Resources



– Best Practices

Summary


Types of Open Source Licenses:Reciprocal vs. Permissive

Reciprocal (aka Copyleft).

– Requires licensee to make improvements or enhancements available under similar terms.

– Example is the GPL: Licensee must distribute “work based on the program” and cause such works to be licensed at no charge under the terms of the GPL.

Permissive.

– Modifications/enhancements may remain proprietary.

– Distribution in source code or object code permitted provided copyright notice & liability disclaimer are included and contributors’ names are not used to endorse products.

– Examples: BSD, Apache Software License.

Most Popular Mobile OSS Licenses

1 GPL

2 LGPL

3 MIT

4 Apache

5 BSD

6 Microsoft

7 Artistic

8 Eclipse

9 Common Public lIcense

10 Mozilla


The OSS License Continuum

Permissive

GPL LGPL MPL

MIT

Apache

BSD

Stronger Copyleft

Permissive licenses

Restrictive

Weaker Copyleft


Potential License Conflicts

Proprietary licenses.– Pay a fee

– Most don’t provide source

Many OSS licenses allow restrictions on end users (Apache 2), but GPL does not

Some OSS licenses contain patent termination clauses

GPLv3 resolved incompatibilities with Apache.


App Stores and FOSS Licenses

GPL licensed app’s can not be distributed through the Apple iTunes Store (or any store that imposes restrictions)– Apple ToS (terms of service) require that all software be licensed

for use on a single device only

– “Copylefted software can’t be un-freely relicensed, so it can’t be transacted for under Apple’s current ToS” Eben Moglen, SFLC

– Just like GPLv2, GPLv3 prohibits distributors from placing additional restrictions on the software through legal documents or similar means” Brett Smith, Free Software Foundation

Android stores– “So far as we know…the Google Android market… do not place any

limitation on how a market participant’s application is licensed that would inhibit distributing Android applications in the market under copyleft licensing.” Eben Moglen, SFLC

Permissive licenses (e.g., Apache, MIT, BSD) appear to be compatible with app store ToS


Resources

Webinar-based education:– //www.blackducksoftware.com/webinars/legal/

– Introduction to Open Source Licenses

– Understanding the Top 10 Open Source Licenses

– Unraveling the Complexities of the GPL

Black Duck Android white paper & webinar– //www.blackducksoftware.com/android

– //www.blackducksoftware.com/webinars/legal/android.html

http://www.blackducksoftware.com/webinars/legal/


Agenda




– Resources



– Best Practices

Summary


Issues for Device Manufacturers

How to control and manage building software on a rapidly changing open-source operating system with development forks, governed by multiple licenses against an aggressive release cycle?

Uses the GPLv2 licensed Linux kernel

Grown to a collection of ~165 different sub-components

Written under ~19 different open source licenses

Includes licenses that are reciprocal, and not all OSI-approved

Rapid change – averages a major release every 3 ¼ months

Typical concerns about Android:


Android & Vendor Innovation

Developers

Typical areas of vendor/developer innovation

Source: Google - //source.android.com/


What’s Inside Android?

Android 2.3 (“Gingerbread”)

165 Projects– 83 are “External”

– Does not include Kernel Mirror

Total Size– Over 80,000 Files

– Over 2GB total size

– Does not include Kernel Mirror


A Look Inside Two Android Components: Bionic & Webkit

License types in: Bionic

BSD 2.0*CMU LicenseCryptix LicenseFree clauseFreeBSDHistorical free INRIA OSLIntel OSLInternet Software ConsortiumMITPublic DomainPython InfoSeek

X.Net License

License types in: Webkit

BSD 2.0David M. Gay LicenseGPL 2.0ICU LicenseLGPL 2.1*MIT License V2MIT v2 with Ad Clause LicenseMozilla Public License 1.1PCRE LicensePublic DomainSWIG LicenseThe wxWindows Library Licensezlib/libpng License

*Declared license


Android 2.3: The Ingredients for “Gingerbread”

Licenses– Declared license: Apache 2.0

– Components reference 19 different licenses

– External components

Linux, Webkit use reciprocal licenses (GPLv2, LGPL)

– Other components: more than 30 of them use reciprocal licenses (GPL, LGPL, CPL, etc.)

e.g. dbus, grub, emma, e2fsprogs, bluez, Bison

– Non-OSI approved licenses are used, including OpenSSL and Bzip2


Managing FOSS in the Mobile Ecosystem and Software Supply Chain

Typical Smartphone has over 300 components

OS/Software Stack/Device

Corporate-Owned IPProprietary/Licensed IPFOSSOutsourced developmentMulti-level supply chains

Out Source/Offshore

Your Company

19

XMLSecurityNetworkingEmailGraphicsDatabaseWeb ServicesMany more…


Meeting Open Source License Obligations

There is no "mobile device" or small appliance exception which alters obligations under open source licenses

When there is an obligation to provide source code, the obligation is met only by providing the source code for the specific device that is owned by the person requesting the code

The benefits of an open platform place the burdens of compliance on every vendor that ships the platform

There is no “downstream defense for upstream” violations

Managing complexity requires the establishment of consistent processes


Legal and IP Issues Depend on Your Position in the Ecosystem

Middleware, component developer– Integration of your code with FOSS has implications for

your IP

– How downstream customers use your code may impact your IP

Device manufacturer– Responsible for the entire bundle of components from

suppliers

– Device driver code– open source it or not?

Application developer– Integration of your code with FOSS has implications for

your IP

– Also impacts distribution options

Integration


Software Package Data Exchange™ (SPDX™)

Working group of FOSSBazaar(governance best practices group under Linux Foundation)

Charter:

Create data exchange standards to enable license and component information sharing (metadata)

Participation from over 16 organizations including software, systems and tool vendors, consultants and foundations

https://fossbazaar.org/


Best Practices for Managing Android

Adopt and enforce an open source and third-party code policy

Identify and track all external code that is used

Automate validation at the point of acquisition and development

Automate monitoring and tracking of Android components

Control the use of components and promote standardization

Use automation tools to produce complete Bills of Material and reports for supply chain partners

Policy Process Technology


Summary

Android is highly successful and is changing the mobile and device landscape

Like many FOSS projects, there is complexity inside

The legal and IP issues depend on your role in the mobile supply chain/ecosystem

Effective management and control requires training, tools, and processes


Information Resources

Mark Radcliffe’s blog on the Bionic library:

“Android and the Kernel: It’s not that simple”– //lawandlifesiliconvalley.com/blog/?p=593

Black Duck Android white paper & webinar– //www.blackducksoftware.com/android

– //www.blackducksoftware.com/webinars/legal/android.html

Email: [email protected]

Thank You

Peter Vescuso

Black Duck Software

[email protected]

Date post:	20-Aug-2015
Category:	Technology
Upload:	black-duck-software
View:	1,898 times
Download:	3 times