A few weeks ago we revealed the results of the 2016 Future of Open Source survey, which we ran with North Bridge. We had such a great discussion about our findings with the panel that we ran out time for the questions and answers portion. As a result, we promised that we’d answer questions after the webinar. Bill Ledingham, CTO and EVP of Engineering at Black Duck, provided some responses, and I asked Phil Odence, VP & General Manager, to help us out with the license questions. Without further ado, here are the questions and answers:
Questions and Answers
1. Could you talk about the non-standard license used by React?
The React JS project uses a standard 3-clause BSD license. The reason this project is interesting is not due to the license, but to the additional patent agreement attached to the project by Facebook, who holds the copyright to the code. The additional grant of patent rights has raised some concerns within the legal community based on their interpretation of some of the terms of this agreement.
2. Where can participants find qualified help on the licensing front?
We always recommend working with qualified attorneys to address licensing questions. Many of the big firms have intellectual property (IP) attorneys on staff who specialize in open source. The Black Duck Certified Legal Professionals page on our website is a list of attorneys who understand the Black Duck audit process and have some background in open source licenses.
3. You mentioned models for open source software (OSS) policies. Could you point to some resources?
Googling “sample open source policy” will turn up some ideas. The Linux Foundation’s Open Compliance Program is one place to start.
4. Because of source code transparency in open source, how does one implement security in their SaaS software apps that utilize open source?
Source code transparency is not the problem per se. While there is the possibility that hackers could search through the code to find vulnerabilities that they could exploit, in reality they go after the low hanging fruit – namely known vulnerabilities in open source that have already been publicly disclosed through sources such as the National Vulnerability Database.
Historically, companies have done a very poor job patching vulnerabilities in the open source software that they are using. Often, they are unaware of the fact that they are using open source, let alone vulnerable versions of that open source. Indeed, many vulnerabilities remain unpatched for years. Security for SaaS applications that utilize open source starts with visibility to the open source components/versions contained within the codebase and then tracking and mitigating vulnerabilities that are disclosed in those components/versions. This approach complements other application security tools (static and dynamic analysis) that are used to scan and find vulnerabilities in the proprietary code within the application.
5. Is there a concept of copyright/trademark in open source?
Yes, almost all open source code is copyrighted. The copyright holder is the one who typically specifies the license attached to the open source code that governs the obligations of the user of the open source.
6. What’s the best business strategy small private software companies should follow if part of the product relies on open source? That is, how can we protect propriety software that leverages open source? How can we resolve copy left issue in this product that is part propriety and part open source?
It starts with having visibility around the open source code that you are embedding in the product and understanding the associated licenses and obligations to ensure that your intended use of the code is not in conflict with the terms of the license. For example, if you are distributing the product externally, you want to ensure that you are not mixing your proprietary code with open source code that has “copy left” terms, e.g., GPL licenses. So, in a nutshell, you need to know what you’re using, understand the associated licenses, and likely have a lawyer review the terms to make sure you’re in compliance.
7. But how many of those 30M (projects on GitHub) aren’t just forks? Most stats indicate it’s more like 8-12M.
Totally agree. Many of the 35M+ projects on GitHub are forks or individual developers simply putting their own projects up there for convenience. The challenge is to understand what is a real open source project that is going to be supported by a community down the road – as opposed to some sample code that a developer can grab and use. If you are looking for open source projects that are going to provide key pieces of functionality for your applications or services, you need to do the proper level of vetting. Back to our GitHub example, at Black Duck we view only about 350K (1%) of those projects to be “worthy” of tracking based on metrics around usage, contributors, commit history, and so on.
8. Don’t many OEMs also have problems with the patent clause in Apache 2.0?
The patent grant involves code a company contributes to an open source project. Typically, companies are contributing code in areas that are not their “secret sauce” so should not involve their patents. Without a patent grant, companies have a hard time collaborating. The concern is that they might get “tricked” into a patent infringement as a result of using code provided by a fellow collaborating company.
9. In product disclosure, we have to disclose authorship. If we use open source in part of the product, how do we describe the authorship of open source?
Most open source code should contain an original copyright statement as most of the licenses require retaining that.
10. Can open source projects penetrate into enterprise software? How can open source (get funding in order to) get certifications from government agencies, e.g. the FDA?
Open source is already widely adopted by enterprise software companies for how they build and deliver products. In a typical enterprise software application today we find that a third of the code is open source. Likewise, open source is being embraced by the government for helping to lower costs and speed up the delivery of new services (see this recent USA Today article).
There is also a heightened awareness within the government around the potential risks associated with the open source that they are using directly and indirectly through software that they acquire. Various initiatives are underway to provide validation of software used in devices and critical infrastructure (such as UL taking on cyber security testing and certification). Open source software, as an essential component of many of these technologies, is being evaluated as part of the process. While there isn’t direct funding for open source for certifications, open source is being included as part of the overall process.
11. Is there a correlation between use of Docker and type of respondent? That is, enterprise IT vs. tech companies delivering devices and software?
Enterprises are the earlier adopters of containers, but many think that independent software vendors (ISVs) will deliver containerized apps in the future.
12. Will licensing of open source projects mutate/change during its lifetime & how will this process affect developers?
While licenses occasionally change between versions of the same open source project, this is the exception rather than the rule. That said, companies do need to have a process in place for upgrading to new versions of open source components, including checking the associated license. If it has changed, companies must ensure that it goes through the appropriate legal review to check if there are any issues.
13. What are the key issues of technology transfer rights/restrictions in open source that developers must consider before jumping in to code using open source?
Developers using open source components should consider all of the aspects of the code as they would with any third party software. What does the license allow and restrict? What are the obligations? How secure is the software and what is the quality? How will I get support if there are issues?
If you missed our webinar, it is available on-demand at BrightTalk. We also have a more complete version of the slide deck available on Black Duck’s SlideShare. You can also view it on North Bridge’s SlideShare. I hope the questions and answers are helpful to you as you pursue using open source. Happy coding!