What Every Attorney Needs to Know About Open Source Licenses and Their Obligations: Open Source Software 101
2020 Edition LawPracticeCLE Unlimited All Courses. All Formats. All Year.
ABOUT US LawPracticeCLE is a national continuing legal education company designed to provide education on current, trending issues in the legal world to judges, attorneys, paralegals, and other interested business professionals. New to the playing eld, LawPracticeCLE is a major contender with its o erings of Live Webinars, On-Demand Videos, and In-per- son Seminars. LawPracticeCLE believes in quality education, exceptional customer service, long-lasting relationships, and networking beyond the classroom. We cater to the needs of three divisions within the legal realm: pre-law and law students, paralegals and other support sta , and attorneys.
WHY WORK WITH US? At LawPracticeCLE, we partner with experienced attorneys and legal professionals from all over the country to bring hot topics and current content that are relevant in legal practice. We are always looking to welcome dynamic and accomplished lawyers to share their knowledge!
As a LawPracticeCLE speaker, you receive a variety of bene ts. In addition to CLE teaching credit attorneys earn for presenting, our presenters also receive complimentary tuition on LawPracticeCLE’s entire library of webinars and self-study courses.
LawPracticeCLE also a ords expert professors unparalleled exposure on a national stage in addition to being featured in our Speakers catalog with your name, headshot, biography, and link back to your personal website. Many of our courses accrue thousands of views, giving our speakers the chance to network with attorneys across the country. We also o er a host of ways for our team of speakers to promote their programs, including highlight clips, emails, and much more!
If you are interested in teaching for LawPracticeCLE, we want to hear from you! Please email our Directior of Operations at [email protected] with your information. Be advised when speaking for LawPracticeCLE, we require you to provide the bellow items related to your course:
1. A Course Description 2. 3-4 Learning Objectives or Key Topics 3. A Detailed Agenda 4. A Comprehensive PowerPoint Presentation
CONTACT US 11161 E State Road 70 #110-213 941-584-9833 www.lawpracticecle.com Lakewood Ranch, FL 34202 LAWPRACTICECLE UNLIMITED LawPracticeCLE Unlimited is an elite program allowing attorneys and legal professionals unlimited access to all Law- PracticeCLE live and on-demand courses for an entire year.
LawPracticeCLE provides twenty new continuing legal education courses each month that will not only appeal to your liking, but it will also meet your State Bar requirement.
Top attorneys and judges from all over the country partner with us to provide a wide variety of course topics from basic to advanced. Whether you are a paralegal or an experienced attorney, you can expect to grow from the wealth of knowledge our speakers provide. COURSE CATEGORIES A View From The Bench Estate Planning Paralegal Studies Animal Law Ethics, Bias, and Professionalism Personal Injury Law Bankruptcy Law Family Law Practice Management & Trial Prep Business Law Federal Law Real Estate Law Cannabis Law Food and Beverage Law Religious Law Construction Law Gun Law Social Security Law Criminal Law Health Law Specialized Topics Cybersecurity Law Immigration Law Tax Law Education Law Intellectual Property Law Technology Law Employment Law Insurance Law Transportation Law Entertainment Law Nonpro t Law Tribal Law More Coming Soon ... ACCREDITATION LawPracticeCLE will seek approval of any CLE program where the registering attorney is primarily licensed and a single alternate state. The application is submitted at the time an attorney registers for a course, therefore approval may not be received at the time of broadcasting. In the event a course is denied credit, a full refund or credit for another Law- PracticeCLE course will be provided.
LawPracticeCLE does not seek approval in Illinois or Virginia, however the necessary documentation to seek CLE credit in such states will be provided to the registrant upon request. ADVERTISING WITH LAWPRACTICECLE At LawPracticeCLE, we not only believe in quality education, but providing as many tools as possible to increase success. LawPracticeCLE has several advertising options to meet your needs. For advertising and co-sponsorship information, please contact the Director of Operations, Jennifer L. Hamm, [email protected].
CHECK US OUT ON SOCIAL MEDIA Facebook: www.facebook.com/LawPracticeCLE lnstagram: www.instagram.com/lawpracticecle
Linkedln: www.linkedin.com/company/lawpracticecle Twitter: www.twitter.com/LawPracticeCLE What Every Attorney Needs to Know About Open Source Software Chris Stevenson, Senior Attorney, DLA Piper Overview
1. What is Open Source Software? 2. Common Open Source Software Licenses 3. Why Should Your Clients Care About Open Source Software 4. Steps Your Clients Should Take
www.dlapiper.com 2 What is Open Source Software?
www.dlapiper.com 3 Common Misconceptions About Open Source
“Open source is in the public domain."
"All open source licenses “I downloaded this require the release of software for free, so its source code for open source, right?" everything."
"None of these agreements are "No one will enforceable so it doesn’t ever know." really matter anyway."
www.dlapiper.com 4 Open Source Software Definition
• Software available as source code and offered to all on standard terms under an open source license • Open Source License • Free Software Foundation: Four Freedoms • OSI: Ten Attributes • Generally allow anyone to: • Run • Study • Redistribute • Distribute Modifications
www.dlapiper.com 5 Who is Using Open Source?
• Nearly everyone uses open source software • Open source components found in 99% of all software applications scanned* • Average code base contained 445 open source components (up from 298 in 2018) • Average percentage of code base was 70% (up from 60% in 2018) • 75% of audited code bases contained at least one open source software security vulnerability • Few companies can produce an open source list with any confidence
* Source: Black Duck by Synopsys 2020 Open Source Security and Risk Analysis Report www.dlapiper.com 6 Open source can enter codebases from a variety of sources FOSS Community
Internally Developed Code
Outsourced Code Development
Your Software Application Commercial 3rd-Party Code THE ENTERPRISE
www.dlapiper.com 7 Benefits to Developers Using Open Source
• Lower development costs and accelerated development cycles • Little or no up-front development • Time to market • Source code already exists • Increased user base • provides assistance in tracking and resolving errors • Defects are found before you find them • Defects are already fixed when you find them • More immediate feedback on desired functions
www.dlapiper.com 8 Benefits to End Users of Open Source
• Low cost at the point of acquisition • Low barrier to adoption • Swifter acquisition cycle: try before you buy • Flexibility at deployment, predictable license costs • Easy to customize software • Commercial and community support
www.dlapiper.com 9 Common Open Source Software Licenses
www.dlapiper.com 10 Basic Open Source Vocabulary
• Permissive • Modifications/enhancements may remain proprietary. Distribution in source code or object code permitted provided copyright attribution & liability disclaimer are included • Examples: Berkeley Software Distribution (BSD), MIT, Apache Software License • Restrictive/Reciprocal/Copyleft • Requires licensee to make improvements, enhancements and derivative works available under similar terms • Examples of reciprocal licenses: GPL, LGPL, AGPL, EPL, CDDL • Attribution • Notice/publicity for contributors of code • Sample attribution clause: “The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software”
www.dlapiper.com 11 Open Source License Spectrum
Restrictive/Reciprocal Less Restrictive Permissive
• GNU General Public License • Mozilla Public License (MPL) • MIT License (GPL) • Common Public License (CPL) • BSD License • GNU Lesser General Public • Eclipse Public License (EPL) • Apache License v1.1 License (LGPL) • Common Development and Distribution • W3C Software Notice and License • GNU Affero General Public License (CDDL) • Open Symphony License License (AGPL) • IBM Public License (IPL) • Apache License v 2.0 • Creative Commons Attribution • Microsoft Public License (MS-PL) Non Commercial Share-Alike • Artistic License License • Perl Artistic License • Open Software License v2.0 • Creative Commons Attribution v2.0 and v2.5 • Academic Free License v2.1 • Code Project Open License (CPOL)
Restrictive Permissive
www.dlapiper.com 12 Reciprocal License Example: GPL (Key Provisions)
GPL v.2 (Section 2.b.) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this license. GPL v.2 (Section 3) You may copy and distribute the Program (or a work based on it) in object code or executable form … provided that you also do one of the following: • accompany it with the complete corresponding machine-readable source code … on a medium customarily used for software interchange; or, • accompany it with a written offer … to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code.
www.dlapiper.com Less Restrictive Example: Mozilla Public License
MPLv.2.0 (Section 3.1) All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License.
(Section 3.2) If You distribute Covered Software in Executable Form then:
(a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form… MPLv.2.0 (Section 3) “Modifications” means any of the following: • any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or • any new file in Source Code Form that contains any Covered Software.
www.dlapiper.com 14 Permissive License Example: The MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software … to deal in the Grant of broad rights software without restriction, including without limitation the rights to use, copy, modify, merge, publish, to use, modify etc. distribute, sublicense, and/or sell copies of the software
The above copyright notice and this permission notice shall be included in all copies or substantial portions of Obligation to include the software. copyright notices etc.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED … IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, Disclaimer of liability DAMAGES OR OTHER LIABILITY … ARISING FROM, by authors OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE
www.dlapiper.com (Not so) Common Open Source Licenses: The Chicken Dance
Rights Granted: • Broad, permissive license grants • Permits redistribution and use, with or without modification Restrictions: • Must retain copyright notices and conditions • Cannot use licensor’s name for promotion or endorsement • Redistribution without associated source code requires: • For every thousand (1,000) units distributed, at least half of the employees or persons affiliated with the product must listen to the "Der Ententanz" (AKA "The Chicken Dance") as composed by Werner Thomas for no less than two (2) minutes • For every twenty-thousand (20,000) units distributed, one (1) or more persons affiliated with the entity must be recorded performing the full Chicken Dance, in an original video at the entity's own expense, and a video encoded in OGG Theora format or a format and codec specified by
www.dlapiper.com 17 Why Businesses Should Care About Open Source Compliance
• Using restrictive open source licenses can result in proprietary source code having to be disclosed to the public • Businesses are potential targets for community or commercial enforcement • Response to customer inquiries about software provenance (i.e., the origins of software) • Positioning for due diligence in the event of an acquisition of the company or assets and to integrate their own acquisitions • Security vulnerabilities
www.dlapiper.com 18 Consequences of Open Source Non-Compliance
• Commercial considerations • Non-compliance creates issues in responding to customer inquiries • Customers, resellers, etc. want to know what they are getting and will typically want to know if there is open source in the product, especially on-prem products • Do not want risk of reciprocal open source software • Non-compliance may create contractual liability downstream • Non-compliance may form basis of breach of agreement and be used as a basis to avoid payment, e.g., Versata/Ximpleware • Community enforcements • BusyBox suits: settlements include payment of undisclosed amounts as well as requirement to appoint compliance officer to manage open source compliance • Cisco suit: FSF sued Cisco for violation of GPL in Linksys router code; Settlement included appointment of open source compliance officer, releasing source code and making an donation of undisclosed amount to the FSF
www.dlapiper.com 19 Consequences of Open Source Non-Compliance
• Commercial enforcement • Copyright remedies such as injunctive relief and statutory damages (may be higher and therefore more commonly claimed than actual damages) are available • $750-30,000/work that is infringed or $150,000/work that is infringed for willful infringement • each open source component in a product is potentially a work that is infringed for purposes of statutory damages • Increased enforcement by commercial enforcers, e.g., Artifex enforcing Ghostscript and seeking royalties or settlements • Copyright profiteering and injunctive relief, e.g., McHardy suits in Germany
www.dlapiper.com 20 Steps Your Clients Can Take Now
www.dlapiper.com 21 Implement Best Practices
• Have a plan to identify, quantify and mitigate third party software-related risks • Conduct periodic software audits and code scans of in-licensed code • Identify • Analyze • Plan/Remediate • Develop polices and procedures for using open source • Written • Implementation date • Approval process • Assess ongoing compliance • Implement for both internal code and transactions (and update agreements)
www.dlapiper.com 22 Implement Best Practices
• Systemic • Baked in to the culture & workflow • Event Driven • Component approval request • Planning a release • Accepting a code drop from a vendor/outsourcer • Performing a build • Creating a release • Embrace Supply Chain Techniques • Workflow automates task creation • Notifications • Process Monitoring • Central repositories of data
www.dlapiper.com 23 Thank you
www.dlapiper.com 24