fork ( ) in the road - gplv3 and the cost of open source consensus - ocri 45th circuit nov 2007

8/9/2019 fork ( ) in the Road - GPLv3 and the Cost of Open Source Consensus - OCRI 45th Circuit Nov 2007

1/22

gowlings.com

Montral | Ottawa | Kanata | Toronto | Hamilton | Waterloo Region | Calgary | Vancouver | Moscow

The Power of Original Thought

fork() in the Road GPLv3 and the

Cost of Open Source ConsensusOCRI - 45th Circuit

November 6, 2007

Thomas Prowse, Partner

Kanata Technology Law Office


2/22


Agenda

Open Source Software ("OSS") intro

Pros and Cons of OSS

OSS legal issues overview

10 things you ought to know about GPLv3

A policy based approach to OSS

Q&A


3/22


What is Open Source Software (OSS)?

1. Free Redistribution

2. Source Code

3. Derived Works

4. Integrity of The Author's Source Code

5. No Discrimination Against Persons or Groups

6. No Discrimination Against Fields of Endeavor

7. Distribution of License

8. License Must Not Be Specific to a Product

9. License Must Not Restrict Other Software

10.License Must Be Technology-Neutral


4/22


The 2.5 categories of OSS

A fair amount of OSS is permissive

In most cases, the reproduction of the copyright

notice / disclaimer is the only requirement

Examples include BSD, MIT

The other major category of OSS is reciprocal

While the GPL license is the leading example, there

are two subcategories

elastic e.g. Eclipse Public License unified e.g GPLv3 and Affero


5/22


Pros and Cons of OSS

pros

Solid technology

Familiar technology

Very large ecosystem Peer review

Community support

Access to source code

Faster time to productivity

Reduced time-to-market

Lower development costs

career portability

cons

License Contamination

Product Constraints

Unknown Origins

No WarrantyNo Indemnification

Possible lawsuits/injunctions

Unpredictable evolution

Customer Concerns

No Formal Support

Security Concerns

ALL OBLIGATIONS mustbe met


6/22


OSS legal issues

OSS is best approached as a Gordian knot of

technical, business, and legal issues

There are a couple of threshold legal issues that

apply to all OSS (and most software) pedigree are you getting what you think you

are getting

Bummer of a birthmark, Hal risks are you

putting your hand up for a lawsuit license to??? have you obtained and fully

assessed the OSS software license


7/22


OSS legal issues (continued)

The manner in which OSS is to be used has

significant implications

For example, it has been generally accepted that

almost all OSS can be used in a modified form eitherinternally or for delivery of a hosted service without

triggering an obligation to release the modified

source code

Accordingly, you need to focusprimarilyon the

modification (with distribution) of OSS and the

association of OSS with other code


8/22



10 Dtente in our time

GPLv3 is the by-product of an unprecedented OSS public consultationprocess under which the Free Software Foundation (FSF)established four committees to represent different interests in thelicense

Unlike GPL (1989) and GPLv2 (1991) which written by RichardStallman, the latest version went through several public drafts andrationale documents

While GPLv3 reflects the inherent limitations of a consensusdocument, the consultation process is an important signal ofincreasing acceptance, and a fundamental shift towards dtente (if notpeace), between the OSS and proprietary software communities


9/22



9 But you forgot to vacuum in the corners.

Several issues under GPLv2 remain open under GPLv3

In particular, the challenge of determining what constitutes a work

based on another work remains essentially unchanged The best view is that the underlying legal test remains a copyright

based determination as to whether a derivative work has beencreated

Since this is the major trigger for the reciprocity obligation under thecopyleft license, this assessment must be made whenever software

covered by the GPLv3 license is associated with other software This assessment, which can only be made on a case-by-case basis

taking into account the factual circumstances of each situation,remains one of the greatest OSS challenges.


10/22



8 Around the world in 80 days: internationalization agenda

The GPLv2 license was generally considered to be U.S.-centric in itsdrafting

GPLv3 adopts more internationally consistent terminology to addressthis concern

In particular, GPLv3

defines propagate and convey to address some of thelimitations of the GPLv2 term distribute in the internationalcontext

In addition, GPLv3 permits developers to add certain disclaimersthat may be required under local law


11/22



7 Born free the truly independent contractor

GPLv2 created uncertainty as to whether an independent contractorcould be retained to modify OSS without having the essential

distribution back from the contractor triggering the reciprocityobligations

GPLv3 addressed this issue by making it clear that code can betransferred to an independent contractor in order for them to makeprivate modifications for the exclusive benefit of the user withoutrequiring the release of those modifications

While the contractor must be granted full rights under any publicGPLv3 code, this allows the existing or developed privatemodifications to remain private


12/22



6 Library card, get your library card here

One important change in GPLv3 is its clarification with respect to thedynamic linking of certain GPLv3 libraries

Where a program has been specifically designed to require the GPLv3library, the obligation to provide the source code for the program istriggered.

On the other hand, where a program has been designed to work with anumber of different libraries (typically through a standard API orinterface), the use of that program with a GPLv3 library does not

appear to trigger the reciprocity obligation While this clarity around the use of GPLv3 libraries is welcome, it

potentially impacts any organizations that have relied on the static vs.dynamic linking distinction and that should now shift to the betterderivative work of copyright determination approach


13/22



5 User serviceable parts inside: DRM & consumer devices

GPLv3 adopts a number of Digital Rights Management (DRM) relatedprovisions

In general terms, DRM is the use of technical means to prevent access,modification, or reproduction of certain works

The first branch of the GPLv3 DRM provisions, prohibits the use of GPLv3programs as part of a DRM (through a waiver of statutory circumventionprohibition rights)

Under the second branch, a user of a consumer device has the right to modifyGPLv3 code on, and re-load the modified code to, that device as well as the

right to obtain associated installation information While this second branch has a number of reasonable limitations concerning

consumer devices incapable of being updated, warranty waivers formodifications, and network access denial options, these provisions will be ofgreat interest and importance to companies in the consumer device space


14/22



4 Whats yours is now ours Patents under GPLv3

Unlike the implied license under GPLv2, GPLv3 has explicit patent license provisions

There are 3 main branches to these rather complex provisions

Distributors of modified GPLv3 code grant a license to all recipients of the codeunder any patent claims, under the distributors control, that read on thedistributed code (note: mere distribution of unmodified code does not trigger thispatent license)

The mandatory extension of all licenses granted under patents (including patentsnot controlled by the distributor) with respect to a particular GPLv3 work to allrecipients of that work

Certain third party arrangements, that indirectly grant a user a patent license, are

prohibited Certain OSS activities can easily result in inadvertent patent licensing and this risk

may, in fact, be most acute in a smaller technology company with a targeted patentportfolio that could easily be licensed in the absence of a close alignment of its OSSactivities with its strategic business plan.


15/22



3 A house divided against itself . fork() #1

One fascinating aspect of the GPLv3 initiative was the disagreement between

the FSF and the Linux kernel OSS community over issues like DRM

As a result of this disagreement, the Linux kernel community, and a number ofOSS projects, has elected to remain at GPLv2 (GPLv2 only code)

The new restriction introduced in GPLv3 have made that license incompatible

with GPLv2

As a result, there is new complexity around GPL (and LGPL code) with respect

to the respective versions and issue of license compatibility

While these are still early days for GPLv3, there is a significant risk that the

OSS community may elect to fork between GPLv3 and GPLv2 resulting in two

somewhat isolated and incompatible OSS ecosystems


16/22



2 But I really wanted to be your host. fork() #2

It is evident, from the record of the public consultation process, that theOSS community was divided with respect to the hosting exemption under

GPLv3 Under this hosting exemption, users are free to modify and use OSS codeto provide a hosted service without any obligation to release the modifiedcode to the OSS community

While GPLv3 elected to preserve the hosting exemption, it does makereference to the GNU Affero General Public License

The most significant legacy of GPLv3 may well be found in the legitimacythat it provides to the Affero license

While these are still early days for both Affero (the latest version) andGPLv3, there is a significant risk that the OSS community may elect to forkbetween GPLv3 and Affero on the hosting exemption resulting in twosomewhat isolated and incompatible OSS sub-ecosystems


17/22



1 Invite (and assign seats) carefully for the party fork() #3

The most significant GPLv3 change, and challenge, is in the area of licensecompatibility and analysis

GPLv3 has added flexibility to adopt specified terms in order to ensurecompatibility with certain other OSS licenses such as the Apache and MITlicenses

This pursuit of license compatibility is, however, at the expense of theuniformity of the GPLv3 license itself since a wide permutation of addedprovisions may cause many GPLv3 licenses to be somewhat unique

This uniqueness can further compound the challenge of license compatibility

and analysis in a mixed software environment There is, accordingly, a serious risk that that license compatibility provisions in

GPLv3 may drive the community towards the formation of distinct andincompatible sub-systems of OSS code thereby undercutting the stated goal oflicense compatibility itself


18/22


A Policy-based approach

Your organization needs to have a policy in place to address its

use of OSS

This OSS policy should ensure that the pedigree, risk, and

license assessment steps are consistently followed and that the

license information and the OSS code are properly archived

For the reasons set out above, the policy needs to focus

primarily on the modification (with distribution) of OSS and the

combination of OSS with other code

Applicable procedures and processes should be put in place to

ensure that all obligations are fully understood and fullycomplied with


19/22


A Policy-based approach (continued)

In many instances, the OSS policy will provide a framework

for good up-front and well informed architectural decisions

that will adequately address the situation

In other cases, more sophisticated approaches (such as the

creation of a middle-ware layer) will need to be adopted tofully implement your organizations OSS policy

Given the complexity of the OSS licenses, your organization

will need to ensure that it has the resources necessary to

support its OSS policy in making these critical assessments

Your organization will also need to put monitoring processesin place to ensure full compliance with any adopted policies,

procedures, and approaches


20/22


Summary

The use of OSS by your organization gives rise to a

Gordian knot of technical, business, and legal

issues

GPLv3 affords your organization new answers, newquestions, and new and old challenges in the OSS

arena

A policy based approach to OSS will enable your

organization to balance the tensions among

competing legal, business, and technicalconsiderations and to steer its way through the

complexities of OSS on its journey to success


21/22


Wrap-up

Q & A


22/22


Thomas Prowse

613.783-8988

[email protected]

Thank You


gowlings.com

The Power of Original Thought

fork ( ) in the road - gplv3 and the cost of open source consensus - ocri 45th circuit nov 2007

Documents