DOCSLIB.ORG

Open Source Software

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Open Source Software Open Source Software – Is It the Death of Your Company? written by Steve Kerns | March 28, 2016 Open source software (OSS) is software whose source code is available for modification or enhancement by anyone. Many companies use OSS to develop their applications, but yet do not know what dangers exist in it. There may be legal ramifications stemming from the licenses that are being used by the OSS or security vulnerabilities that can exist in the software itself. Do you even know what OSS you are using in your application? Have your developers pulled the source into your application instead of using the binaries? If not, the first step is to find out what OSS you are using and what versions. The next step is to find out what license this software is using. Licenses There are many different open source licenses, some of them good (permissive) and some not so good. A “permissive” license is simply a non-copyleft open source license — one that guarantees the freedoms to use, modify, and redistribute, but that permits proprietary derivative works. As of last count, the Open Source Initiative (OSI) has 76 different licenses, some permissive and some not so permissive. There are also some that OSI does not recognize, such as the Beerware license. It says “As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp”. This is considered a permissive license. Copyleft is a copyright licensing scheme where an author surrenders some, but not all rights under copyright law. Copyleft allows an author to impose some restrictions on those who want to engage in activities that would more usually be reserved by the copyright holder. “Weak copyleft” licenses are generally used for the creation of software libraries, to allow other software to link to the library and then be redistributed without the legal requirement for the work to be distributed under the library’s copyleft license. Only changes to the weak-copylefted software itself become subject to the copyleft provisions of such a license, not changes to the software that links to it. This allows programs of any license to be compiled and linked against copylefted libraries such as glibc (the GNU project’s implementation of the C standard library) and then redistributed without any re-licensing required. Copyleft licenses (GPL, etc.) become an issue if the OSS source is actually pulled into your application. The developers can do this without anyone’s knowledge, but would require you to release your source code. All of your intellectual property then becomes open source under that license. The licenses on the OSS you are using can have many or few restrictions on your software. Make sure you are aware of the license(s) that is applied to each OSS you are using and have a lawyer review all of them. What if you do not comply with the license? I am not a lawyer, but I believe if a company finds out you are using their software out of compliance with the license, you may end up with a lawsuit. In fact, the lawyer I was working with at a previous job was adamant that the company not use any copyleft software. He would not sign off on the software release unless it was free of copyleft software. Security Vulnerabilities As you are aware, all software has bugs and from a security perspective, the OSS you are using contains them as well. Over the last couple of weeks I was doing a web application penetration test and discovered that the software was using about 80 different open source libraries (JAR files). Among them were the Apache Commons Collections (ACC) and Apache Standard Taglibs (AST). Each of these have security vulnerabilities that are considered high risk (CVSS score of 7.5 or above). For example, ACC is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. If the application is using OSS that is out-of-date by many months or years, it may have undiscovered or unreported vulnerabilities. Older software tend to have security vulnerabilities that go undetected or unreported. What vulnerabilities you allow in your software is up to your company policy, so you need to determine if you will allow the release of software that is old or contains security vulnerabilities. Solutions You can do research on each OSS you use. This means visiting the website for the OSS or opening up each JAR file and reviewing the license information. Make sure you track this because OSS can change licenses between releases. Under one version it could be released using the aforementioned BEER license and the next one could be under a copyleft license. For security vulnerabilities, going to the vendors web site might give you some information, but also review the following: http://seclists.org http://www.cvedetails.com http://www.securityfocus.com http://www.osvdb.org/ Also consider using software to scan for these issues. The two that I am most familiar with are: http://info.blackducksoftware.com http://www.sonatype.com (CLM) I am most familiar with CLM, which we installed in a previous company that I worked for; it discovered many issues in the OSS we were using in our products. The software teams had to scramble to fix the issues that were discovered. As I mentioned before, the lawyer did not allow the release of any software with certain licenses. They ended up either upgrading the OSS or removing it completely from the software..
Load more

Recommended publications
  • Building Online Content and Community with Drupal
    Collaborative Librarianship Volume 1 Issue 4 Article 10 2009 Building Online Content and Community with Drupal Gabrielle Wiersma University of Colorado at Boulder, [email protected] Follow this and additional works at: https://digitalcommons.du.edu/collaborativelibrarianship Part of the Collection Development and Management Commons Recommended Citation Wiersma, Gabrielle (2009) "Building Online Content and Community with Drupal," Collaborative Librarianship: Vol. 1 : Iss. 4 , Article 10. DOI: https://doi.org/10.29087/2009.1.4.10 Available at: https://digitalcommons.du.edu/collaborativelibrarianship/vol1/iss4/10 This Review is brought to you for free and open access by Digital Commons @ DU. It has been accepted for inclusion in Collaborative Librarianship by an authorized editor of Digital Commons @ DU. For more information, please contact [email protected],[email protected]. Wiersma: Building Online Content and Community with Drupal Building Online Content and Community with Drupal Gabrielle Wiersma ([email protected]) Engineering Research and Instruction Librarian, University of Colorado at Boulder Libraries use content management systems Additionally, all users are allowed to post in order to create, manage, edit, and publish content without using code, which enables content on the Web more efficiently. Drupal less tech savvy users to contribute content (drupal.org), one such Web-based content just as easily as their more proficient coun- management system, is unique because it terparts. For example, a library could use employs a bottom-up strategy for Web de- Drupal to allow library staff to view and sign that separates the content of the site edit the library Web site, blog, and staff from the formatting which means that “you intranet.
    [Show full text]
  • Understanding Code Forking in Open Source Software
    EKONOMI OCH SAMHÄLLE ECONOMICS AND SOCIETY LINUS NYMAN – UNDERSTANDING CODE FORKING IN OPEN SOURCE SOFTWARE SOURCE OPEN IN FORKING CODE UNDERSTANDING – NYMAN LINUS UNDERSTANDING CODE FORKING IN OPEN SOURCE SOFTWARE AN EXAMINATION OF CODE FORKING, ITS EFFECT ON OPEN SOURCE SOFTWARE, AND HOW IT IS VIEWED AND PRACTICED BY DEVELOPERS LINUS NYMAN Ekonomi och samhälle Economics and Society Skrifter utgivna vid Svenska handelshögskolan Publications of the Hanken School of Economics Nr 287 Linus Nyman Understanding Code Forking in Open Source Software An examination of code forking, its effect on open source software, and how it is viewed and practiced by developers Helsinki 2015 < Understanding Code Forking in Open Source Software: An examination of code forking, its effect on open source software, and how it is viewed and practiced by developers Key words: Code forking, fork, open source software, free software © Hanken School of Economics & Linus Nyman, 2015 Linus Nyman Hanken School of Economics Information Systems Science, Department of Management and Organisation P.O.Box 479, 00101 Helsinki, Finland Hanken School of Economics ISBN 978-952-232-274-6 (printed) ISBN 978-952-232-275-3 (PDF) ISSN-L 0424-7256 ISSN 0424-7256 (printed) ISSN 2242-699X (PDF) Edita Prima Ltd, Helsinki 2015 i ACKNOWLEDGEMENTS There are many people who either helped make this book possible, or at the very least much more enjoyable to write. Firstly I would like to thank my pre-examiners Imed Hammouda and Björn Lundell for their insightful suggestions and remarks. Furthermore, I am grateful to Imed for also serving as my opponent. I would also like to express my sincere gratitude to Liikesivistysrahasto, the Hanken Foundation, the Wallenberg Foundation, and the Finnish Unix User Group.
    [Show full text]
  • Designing a Licence for Open Collaboration: Andrew Katz
    Designing a Licence for Open Collaboration: insights from the development and use of the CERN Open Hardware Licence Andrew Katz University of Skövde, Moorcrofts LLP www.moorcrofts.com [email protected] Javier Serrano CERN OHL History • March 2011: CERN OHL 1.0 • July 2011: CERN OHL 1.1 • September 2013: CERN OHL 1.2 • 2017: CERN OHL 2, beta 1 • 2019 : CERN OHL 2, beta 2 • Original drafting team: Myriam Ayass and Javier Serrano and the CERN Knowledge Transfer Group. • AK became involved in 2012 with v1.2 Accelerators Detectors Dissemination How to interpret one’s dissemination mandate in the 21st century How to interpret one’s dissemination mandate in the 21st century • Standard Ethernet network • Ethernet features (VLAN) & protocols (SNMP) • Sub-nanosecond synchronisation • Guaranteed (by design) upper bound in frame latency White Rabbit Switch • Central element of White Rabbit network • 18 port gigabit Ethernet switch with WR features • Optical transceivers: single-mode fibre, originally 10 km range • Fully open design, commercially available WR Node: SPEC board FMC-based Hardware Kit: • All carrier cards are equipped with a White Rabbit port. • Mezzanines can use the accurate clock signal and “TAI” (synchronous sampling clock, trigger time tag, . ). White Rabbit application examples • CERN and GSI (Germany) near Darmstadt White Rabbit application examples • CERN and GSI • The Large High Altitude Air Shower Observatory White Rabbit application examples • CERN and GSI • The Large High Altitude Air Shower Observatory • KM3NET:
    [Show full text]
  • FOSS Philosophy 6 the FOSS Development Method 7
    1 Published by the United Nations Development Programme’s Asia-Pacific Development Information Programme (UNDP-APDIP) Kuala Lumpur, Malaysia www.apdip.net Email: [email protected] © UNDP-APDIP 2004 The material in this book may be reproduced, republished and incorporated into further works provided acknowledgement is given to UNDP-APDIP. For full details on the license governing this publication, please see the relevant Annex. ISBN: 983-3094-00-7 Design, layout and cover illustrations by: Rezonanze www.rezonanze.com PREFACE 6 INTRODUCTION 6 What is Free/Open Source Software? 6 The FOSS philosophy 6 The FOSS development method 7 What is the history of FOSS? 8 A Brief History of Free/Open Source Software Movement 8 WHY FOSS? 10 Is FOSS free? 10 How large are the savings from FOSS? 10 Direct Cost Savings - An Example 11 What are the benefits of using FOSS? 12 Security 13 Reliability/Stability 14 Open standards and vendor independence 14 Reduced reliance on imports 15 Developing local software capacity 15 Piracy, IPR, and the WTO 16 Localization 16 What are the shortcomings of FOSS? 17 Lack of business applications 17 Interoperability with proprietary systems 17 Documentation and “polish” 18 FOSS SUCCESS STORIES 19 What are governments doing with FOSS? 19 Europe 19 Americas 20 Brazil 21 Asia Pacific 22 Other Regions 24 What are some successful FOSS projects? 25 BIND (DNS Server) 25 Apache (Web Server) 25 Sendmail (Email Server) 25 OpenSSH (Secure Network Administration Tool) 26 Open Office (Office Productivity Suite) 26 LINUX 27 What is Linux?
    [Show full text]
  • Third-Party Licenses Ezeep
    Licensing Terms of Additional Components Supplied by Third- Party Manufacturers “ezeep for Azure” ................................................................................................................................1 “ezeep Connector / ezeep Connector PS” ...........................................................................................1 “ezeep Connector Mac” .......................................................................................................................4 “ezeep print App macOS” ....................................................................................................................4 “ezeep for Azure” “ezeep Connector / ezeep Connector PS” “Microsoft Visual C++ 2013 Runtime Libraries”, “Microsoft Visual C++ 2017 Runtime Libraries” Appendix 1 Microsoft Visual C++ 2013 Runtime Libraries MICROSOFT SOFTWARE LICENSE TERMS MICROSOFT VISUAL C++ REDISTRIBUTABLE FOR VISUAL STUDIO 2013 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services for this software, unless other terms accompany those items. If so, those terms apply. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE. IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW. 1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices. 2. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the soft- ware only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the soft- ware that only allow you to use it in certain ways.
    [Show full text]
  • Master Thesis Innovation Dynamics in Open Source Software
    Master thesis Innovation dynamics in open source software Author: Name: Remco Bloemen Student number: 0109150 Email: [email protected] Telephone: +316 11 88 66 71 Supervisors and advisors: Name: prof. dr. Stefan Kuhlmann Email: [email protected] Telephone: +31 53 489 3353 Office: Ravelijn RA 4410 (STEPS) Name: dr. Chintan Amrit Email: [email protected] Telephone: +31 53 489 4064 Office: Ravelijn RA 3410 (IEBIS) Name: dr. Gonzalo Ord´o~nez{Matamoros Email: [email protected] Telephone: +31 53 489 3348 Office: Ravelijn RA 4333 (STEPS) 1 Abstract Open source software development is a major driver of software innovation, yet it has thus far received little attention from innovation research. One of the reasons is that conventional methods such as survey based studies or patent co-citation analysis do not work in the open source communities. In this thesis it will be shown that open source development is very accessible to study, due to its open nature, but it requires special tools. In particular, this thesis introduces the method of dependency graph analysis to study open source software devel- opment on the grandest scale. A proof of concept application of this method is done and has delivered many significant and interesting results. Contents 1 Open source software 6 1.1 The open source licenses . 8 1.2 Commercial involvement in open source . 9 1.3 Opens source development . 10 1.4 The intellectual property debates . 12 1.4.1 The software patent debate . 13 1.4.2 The open source blind spot . 15 1.5 Litterature search on network analysis in software development .
    [Show full text]
  • Elements of Free and Open Source Licenses: Features That Define Strategy
    Elements Of Free And Open Source Licenses: Features That Define Strategy CAN: Use/reproduce: Ability to use, copy / reproduce the work freely in unlimited quantities Distribute: Ability to distribute the work to third parties freely, in unlimited quantities Modify/merge: Ability to modify / combine the work with others and create derivatives Sublicense: Ability to license the work, including possible modifications (without changing the license if it is copyleft or share alike) Commercial use: Ability to make use of the work for commercial purpose or to license it for a fee Use patents: Rights to practice patent claims of the software owner and of the contributors to the code, in so far these rights are necessary to make full use of the software Place warranty: Ability to place additional warranty, services or rights on the software licensed (without holding the software owner and other contributors liable for it) MUST: Incl. Copyright: Describes whether the original copyright and attribution marks must be retained Royalty free: In case a fee (i.e. contribution, lump sum) is requested from recipients, it cannot be royalties (depending on the use) State changes: Source code modifications (author, why, beginning, end) must be documented Disclose source: The source code must be publicly available Copyleft/Share alike: In case of (re-) distribution of the work or its derivatives, the same license must be used/granted: no re-licensing. Lesser copyleft: While the work itself is copyleft, derivatives produced by the normal use of the work are not and could be covered by any other license SaaS/network: Distribution includes providing access to the work (to its functionalities) through a network, online, from the cloud, as a service Include license: Include the full text of the license in the modified software.
    [Show full text]
  • Open Source Software As Intangible Capital: Measuring the Cost and Impact of Free Digital Tools Preliminary Draft October 31, 20181 Carol A
    Open Source Software as Intangible Capital: Measuring the Cost and Impact of Free Digital Tools Preliminary Draft October 31, 20181 Carol A. Robbins*(1), Gizem Korkmaz (2), José Bayoán Santiago Calderón (3), Daniel Chen (2), Claire Kelling (4) , Stephanie Shipp (2), Sallie Keller (2) Abstract Open source software is everywhere, both as specialized applications nurtured by devoted user communities, and as digital infrastructure underlying platforms used by millions daily, yet its value and impact are not currently measured (with small exceptions). We develop an approach to document the scope and impact of open source software created by all sectors of the economy: businesses, universities, government research institutions, nonprofits, and individuals. We use a bottom-up approach to measure subset of OSS projects and languages, collecting data on open source software languages R, Python, Julia, and JavaScript, as well as from the Federal Government’s code.gov website. Using lines of code and a standard model to estimate package developer time, we convert lines of code to resource cost. We estimate that the resource cost for developing R, Python, Julia, and JavaScript exceeds $3 billion dollars, based on 2017 costs. Applying this approach to open source software available on code.gov results in an estimated value of more than $1 billion, based on 2017 costs, as a lower bound for the resource cost of this software. We analyze the dependencies between software packages through network analysis and estimate re-use statistics. This reuse is one measure of relative impact. Key words: Open Source Software, Intangibles, Network Analysis National Center for Science and Engineering Statistics, National Science Foundation; 2) Social & Decision Analytics Division, Biocomplexity Institute & Initiative, University of Virginia; 3) Claremont Graduate University; 4) Pennsylvania State University 1 An earlier version of this paper was presented August 21, 2018 at the International Association for Research on Income and Wealth.
    [Show full text]
  • Open Source Software Licensing FAQ
    Open Source Software Licensing FAQ Here we attempt to address some common questions that academics and researchers have about licensing software as open source. Most of the issues raised can be complex, so for more details we include links to relevant information on the OSSWatch website. What type of software can be licensed? Anything from stand-alone programs and code libraries to programming languages and operating systems. The OSSWatch website lists some examples of OSS. Content (e.g. images, text) either as part of an application or website or as documentation and data may also be licensed openly, although it is important to note the considerations for licensing software are somewhat different (so, for example, Creative Commons licences are not recommended for software). What does a software licence cover? (See An Introduction To Ownership And Licensing Issues.) “When you write software, you are creating a kind of property.” The owner of this property will have certain rights (including copyrights and potentially patent rights) which limit the ability of other people to use, copy, alter and redistribute the software. Through a licence the owner provides permissions for these acts, providing certain conditions are met. The conditions may cover issues such as attribution, limitations of liabilities, and requirements regarding the sharing of code that has been altered. (An Introduction To Ownership And Licensing Issues.) The issue of software patents has been a contentious one, and the legal details vary around the world, however it is the general view that an open source licence is also a grant of a licence to the user regarding any patents necessary for using the software, either implicit or explicit.
    [Show full text]
  • OSS Disclosure
    Tape Automation Scalar i6000, Firmware Release i11.1 (663Q) Open Source Software Licenses Open Source Software (OSS) Licenses for: Scalar i6000 Firmware Release i11.1 (663Q). The firmware/software contained in the Scalar i6000 is an aggregate of vendor proprietary pro- grams as well as third party programs, including Open Source Software (OSS). Use of OSS is subject to designated license terms and the following OSS license disclosure lists all open source components and their respective, applicable licenses that are part of the tape library firmware. All software that is designated as OSS may be copied, distributed, and/or modified in accordance with the terms and conditions of its respective license(s). Additionally, for some OSS you are entitled to obtain the corresponding OSS source files as required by the respective and applicable license terms. While GNU General Public License ("GPL") and GNU Lesser General Public Li- cense ("LGPL") licensed OSS requires that the sources be made available, Quantum makes all tape library firmware integrated OSS source files, whether licensed as GPL, LGPL or otherwise, available upon request. Please refer to the Scalar i6000 Open Source License CD (part number 3- 01638-xx) when making such request. For contact information, see Getting More Information. LTO tape drives installed in the library may also include OSS components. For a complete list- ing of respective OSS packages and applicable OSS license information included in LTO tape drives, as well as instructions to obtain source files pursuant to applicable license requirements, please reference the Tape Automation disclosure listings under the Open Source Information link at www.quantum.com/support.
    [Show full text]
  • Open Source Software: What Business Lawyers, Entrepreneurs and IT Professionals Should Know
    Open Source Software: What Business Lawyers, Entrepreneurs and IT Professionals Should Know Stuart R. Hemphill Partner Minneapolis P: (612) 340-2734 F: (612) 340-8856 [email protected] © 2016 Dorsey & Whitney LLP Source vs. Object Source Code Object Code Programmer readable statements in Machine readable Binary: a computer language, such as C, C++, Cobol, Fortran, Java, Perl, 000010100010001010 PHP 110001010000010100 000100101010001011 // Create a button and add it to the applet. // Also, set the button's colors clear_button = new Button("Clear"); Or Hexadecimal clear_button.setForeground(Color.black); clear_button.setBackground(Color.lightGray); 3F7A this.add(clear_button); (translates to the following binary number: 0011 1111 0111 1010) 2 History of Open Source Software . Term coined in February 1998 by Silicon Valley insiders in anticipation of Netscape’s announcement that it would release the source code for its browser software . This meant software coders could understand the browser’s working details and potentially modify them . 1998 was a momentous time for open source movement given mainstream adoption of internet . But concept significantly pre-dates coining of term 3 Free Software Foundation . Free Software Foundation (FSF), created in 1983 by Richard Stallman of MIT with goal of developing free version of UNIX operating system; everyone could share and change this version . According to FSF, “‘Free software’ is a matter of liberty, not price … think of ‘free’ as in ‘free speech,’ not as in ‘free beer.’” . Stallman wrote a license leveraging copyright in base code and intended to keep derivatives of base software “free” by requiring source code disclosure . Non-negotiable terms; accept by use .
    [Show full text]
  • Open Source and Sustainability
    OPEN SOURCE AND SUSTAINABILITY: THE ROLE OF UNIVERSITY Dr. Giorgio F. SIGNORINI, PhD Dipartimento di Chimica, Università di Firenze via della Lastruccia, 3 I-50019 Sesto F. (Firenze), Italy giorgio.signorini@unifi.it Abstract One important goal in sustainability is making technologies available to the maximum possi- ble number of individuals, and especially to those living in less developed areas (Goal 9 of SDG). However, the diffusion of technical knowledge is hindered by a number of factors, among which the Intellectual Property Rights (IPR) system plays a primary role. While opinions about the real effect of IPRs in stimulating and disseminating innovation differ, there is a growing number of authors arguing that a different approach may be more effective in promoting global development. The success of the Open Source (OS) model in the field of software has led analysts to speculate whether this paradigm can be extended to other fields. Key to this model are both free access to knowledge and the right to use other people’s results. After reviewing the main features of the OS model, we explore different areas where it can be profitably applied, such as hardware design and production; we finally discuss how academical in- stitutions can (and should) help diffusing the OS philosophy and practice. Widespread use of OS software, fostering of research projects aimed to use and develop OS software and hardware, the use of open education tools, and a strong commitment to open access publishing are some of the discussed examples. Keywords Open Source, Sustainable Development, University, Open Education, Open Access arXiv:1910.06073v1 [cs.CY] 8 Oct 2019 1 Introduction What is sustainability about? According to the widely accepted definition of the Brundtland Report (Brundtland 1987), human development is sustainable when it can satisfy the needs of the current gener- ation without compromising the ability of future generations to do the same.
    [Show full text]