Nov 22

Legal Risks of Open Source – GPL/Linux Loadable Kernel Modules

Loadable Kernel Modules are user written software which tightly binds with the operating system kernel and runs in the same address space as the kernel.  This requires calls to the kernel using specially defined kernel functions.

From the point of view of the commercial software developer that develops the “user” written software, they are binding to the kernel in order to improve the execution speed and reduce the resource consumption of their software.  From the point of view of the kernel developer, at least in the case of the Linux kernel, the user written software is extending the function of the kernel, is based on the kernel, and is basically a derivative work of the kernel.

This difference in point of view is leading to a disagreement about open source licenses, which increases the legal risk for commercial developers who develop software that runs on Linux, and which is implemented as Loadable Kernel Modules.

Basically, the Free Software Foundation argues that since the Linux kernel is licensed under GPL, and since the user software that is implemented as a Loadable Kernel Module is based on the Linux kernel, the user code should also be licensed under the GPL and given away as open source.   Also, any user code that is statically linked to the Loadable Kernel Module should also be licensed under GPL.  The FSF believes this is an especially strong argument because the calls to the Linux kernel that enable Loadable Kernel Modules are labeled as “GPL only,” so the user that implements Loadable Kernel Modules is implicitly agreeing to the GPL licensing requirement.

Many commercial software developers argue that this user written Loadable Kernel Module is not based on Linux or a derivative of Linux, but is separate and independent and they should not be compelled to license it under GPL. They would further argue that their user code runs on several kernels and is not dependent on the Linux kernel in particular.

Regardless of which side of that legal issue you are on, you can see the potential for signficant legal risk with alarming viral implications.

At Source Auditor, we believe it is best to:

  • not implement user code as a LKM, if working on top of Linux
  • for user code that must be developed as LKMs on top of Linux (this is often required of device drivers), the commercial software developer has to accept the strong possibility that their LKMs will need to be open sourced under GPL.
  • for user code that must be developed as LKMs on top of Linux, these should be isolated, ie, not statically linked to your other code.  There are “glue code” models that can be used for this.
  • your existing source code should be audited for LKM implementations.  These are easy to spot as the calls to the Linux kernel are well defined.  Here is a wiki article with more detail on LKMs:

Nov 16
This is a list of the top 15 open source licenses as seen in Source Auditor. Each link leads to the license text for that license.  This is useful in generating your policy as to which open source licenses are acceptable to your organization, and which open source licenses are not.  We will periodically update this list and add more licenses.

GNU General Public License (GPL) 2.0

GNU Lesser General Public License (LGPL) 2.1

Artistic License (Perl)

BSD License 2.0

GNU General Public License (GPL) 3.0

Apache License 2.0

MIT License

Mozilla Public License (MPL) 1.1

Common Public License (CPL)

zlib/libpng License

Eclipse Public License (EPL)

Python Software Foundation License

Apache License 1.1

PHP License Version 3.0

Open Software License (OSL)

Nov 13

There was a legal judgment last August which is pretty significant in terms of upholding the rights of open source copyright and license holders.

The Court of Appeals for the Federal Circuit Court, which is considered the most important intellectual property appeals court in the US, upheld a open source copyright license.

In non-technical terms, the Court has held that open source licenses have the right to set conditions on the use of copyrighted work. So, even if an open source license does not collect royalty fees, it is a copyright license and the conditions need to be honored.  If you violate the condition, the license disappears, and you are a copyright infringer.  In other words, a open source license is just like a commercial license in that if you use the open source, you have to honor the conditions of the license.

Here is the opinion:

This is very significant as some previously had the theory that because an open source license did not collect monetary fees, there was no real “contract” and the conditions in the license were not really enforceable.

So there you have it.  Many engineers in commercial software companies download open source and incorporate it into their commercial software, without honoring the license obligations.  This case, clearly establishes that the license obligations must be honored, or it is a case of copyright infringement which can lead to losing battles in court.

All of this reinforces the basic conclusion, commercial software developers should set a open source governance policy.  They should decide which open source licenses have conditions which are acceptable to the organization and can be fulfilled.  Any licenses which have conditions which are not acceptable should not be approved.

The organization should also scan for open source in the current source code base, using either manual methods or a professional audit firm like Source Auditor.  The organization should remove any open source which is associated with licenses which are not approved and not acceptable to the organization.  For many commercial organizations, this is usually open source associated with the GPL license, which accounts for over 50% of the projects in open source repositories like Sourceforge.

Of course, many GPL licensed open source projects have similar project counterparts that are licensed with friendlier licenses like Public Domain, MIT, BSD, CPL, or Apache.

The policy should also be enforced going forward, ie, the organization should review new proposed additions of open source to the commercial code base, and should decide if the proposed addition license is acceptable before approving the addition.

Nov 9

In a commercial software company, it is common practice for software developers to download free open source and incorporate that source within their own software. Most developers ignore the license obligations that come with the software. They usually think that because the software is royalty free, the license obligations probably don’t matter.

In many cases, though it does matter, at least if the software developer is using the open source software inside the commercial product, and distributing the open source to external customers.

Open Source comes with a variety of licenses. Some like public domain have no restrictions or obligations for the software developer using, distributing, or modifying either the source code or the object code.

Other licenses, though, can have restrictions on distribution or modification of the software, and can impose obligations on attribution and re-distribution of the software.

For approximately 60% of the open source packages, there is also a provision called “copy-left” which can go viral, and contaminate the proprietary commercial software which is not open source. For many commercial software developers, this is considered unacceptable.

Of course, many organizations have negelected these open source obligations, which has recently led to a series of lawsuits. In most of the lawsuits, the courts have ruled that open source license obligations are enforceable, even if no money changed hands. Thus, it is no longer a prudent option for commercial organizations to download and incorporate open source inside their commercial products without attending to the license obligations that come with that open source.

All of this leads to the need for the commercial software developer to create polices about incorporating open source inside the commercial software and to scan for open source using either manual methods or a professional open source audit firm such as Source Auditor.

Essentially, the commercial software organization needs to decide which open source licenses contain obligations and restrictions which are acceptable to that organization, and which licenses are not acceptable. For example, the organization could create an approved license list, for example (Public Domain, BSD, MIT, Apache, SUN Binary License, Common Public License and its derivatives), while considering other license such as GPL or LGPL not approved.

The organization should also audit its current commercial software to understand a census of open source inside. Any open source inside which does not meet the organization’s policy as posing acceptable obligations and restrictions, should be replaced.

This policy should then be enforced going forward, ie, when a software developer downloads open source and considers incorporating it into the commercial software, the policy should specify whether the license that comes with that open source is an approved license for that organization or not. There should be a review board that would review new submissions to decide if new licenses should be added to the approved list.

For more information about Open Source License Obligations and about tools to audit and track open source

Firms Struggle With Open Source

Nov 7

Since there are several hundred thousand free, widely used, and well maintained open source packages on the internet, it makes perfect sense to leverage open source whenever possible.  If you are a commercial software developer that depends on selling your own software in the marketplace, however, it is important to understand the legal obligations and the legal restrictions that come with your open source license.

With most Open Source licenses, obligations and restrictions in the license only apply if you distribute the open source, i.e., you incorporate the open source inside the source or binaries that you ship to your customers.  If you use the open source software only as a tool during the development process, the obligations posed by the open source typically do not apply.

With most Open Source licenses, the typical obligations center on attribution and re-distribution.

Attribution refers to giving credit to the authors and contributors of the open source software, i.e., the commercial software provider that incorporates open source inside, might need to properly give credit to the creators of the open source.   The requirements can include none or some of the following:  do not remove copyrights in the source code; provide credit in the end user documentation; do not use the open source authors names to endorse the commercial product without permission; clearly mark if you make any modifications to the open source; if there is a redistribution requirement, clearly show in the documentation how to get the redistribution; in any advertising you do for the commercial product, make sure you acknowledge the open source component provider.

Re-distribution refers to making the open source and related components freely available, i.e., free of charge and available to the public.  This is typically under the same license as the original open source.  This can include the original open source, any modifications you make, and most importantly, any software “based on” the open source code.  “Based on” is interpreted differently depending on the license.  Some licenses are viral in nature, and by some interpretations essentially force you to make all of your own commercial software that is linked to the open source software to also be given away free.  These licenses are also called “copy-left” licenses, and pose the greatest threat to a commercial software company’s business model.

Restrictions depend on the license, but common restrictions include: do not make any modifications to the open source; do not distribute this open source software without adding value of your own with additional software; do not remove copyrights in the open source; do not initiate patent litigation against any of the contributors to the open source on the grounds that something in the open source violates one of your patent claims.  Violating these restrictions can cause the license to be terminated.

While there are several hundred unique licenses, the following discusses some of the common types:

The least restrictive licenses are public domain licenses, which are essentially no licenses at all.  Source code provide in the Public Domain are free to use without restriction i.e., you can use the source code without any attribution or re-distribution and you can make modifications and derivative works; and you can distribute any or all of the open source software as you see fit.

These are followed by MIT style licenses, so named, because these licenses follow a template created by MIT.  In these licenses, the rights are similar to public domain and the only obligation is attribution.  For MIT style licenses, this requirement is often satisfied by leaving the original copyrights that came with the open source software in place and also providing credit to the open source authors in the end user documentation.

The next common style is BSD style licenses, originally created by the University of Berkeley, with both an original and a “modified” version of the license available.  These licenses are similar to MIT style, with the additional attribution requirement that the commercial software provider cannot use the names of the open source provider as a product endorsement without explicit permission.  The original BSD license also required that in any advertising done for the commercial product, there was an acknowledgement of the open source provider; however, the modified BSD license is far more common.

The next common license style is from Apache, which is a large well organized cooperative of open source contributors, with an extensive library of open source software.  The Apache 1.1 licenses requirements are very similar to the BSD modified license requirements.  The Apache 2.0 license adds that any modifications to the open source code must be clearly marked with a change log.  The Apache 2.0 license adds an important restriction, the patent non-assert clause, which essentially states that if you initiate patent litigation against any of the authors or contributors who helped create this open source, you can no longer use the open source.

The next common set of licenses is the Common Public License and its derivatives such as Eclipse Public License, IBM Public License, Mozilla Public License, etc.  These licenses all have similar obligations to the MIT license, but they also have additional obligations in attribution and re-distribution.  The CPL license requires that the commercial software developer has to make the original CPL licensed open source code as well as any changes to that source code made by the commercial developer, available for free.  In addition, the commercial software developer has to state in the end user documentation how the user can obtain this open source code along with the changes.  Finally, the source code changes made by the commercial developer should be clearly marked.   It is important to understand, that nothing in the CPL or its derivatives compels the commercial software developer to give away for free its own code that is packaged in separate modules from the open source software.

The final common set of licenses are the LGPL v2.1 and the GPL 2.0 licenses, which together make up about 70% of all of the open source code inside, a well known open source repository.

The GPL 2.0 license has all the same attribution and re-distribution requirements as the CPL license above.  However, the GPL also require any works based on those packages to be offered (re-distributed) under the same “free to the public” terms.  Most commercial software companies consider this an unacceptable license for commercial software, because it does drive a change to their basic business model.

The LGPL v2.1 license carries a similar obligation to the GPL 2.0license but has a more restrictive definition of where the re-distribution obligation applies, which makes it friendlier to commercial companies then the GPL license.  For example, any commercial software which is dynamically linked to the LGPL licensed package does not require re-distribution.  However, the LGPL license also carries other obligations such as requiring the distributor of any package which includes the LGPL libraries to allow the end user to replace those libraries.  This may conflict with some of the terms of the commercial software package.

There are also several dozen unique licenses for individual open source packages.  While they can generally be classified as similar to one of the common licenses described above, they often have some unique requirement or feature that needs to be taken into account.

To summarize, open source licenses center on attribution and re-distribution, although they can have other requirements as well.   Understanding these license obligations, and abiding by them, is the true cost of free open source, and it is important to understand and manage these license obligations to avoid legal issues and to safely leverage open source.

When Source Auditor conducts an open source audit, we help our customers identify and understand the technical aspects of their license obligations arising from downloaded open source.  When open source packages are identified with terms unacceptable to you, we also suggest alternative implementations to replace those packages.

Nov 6

This is an interesting thought in an article in Information Week, citing the recent lawsuits that have been won by open source advocates.  The article notes that Xterasys settled a  lawsuit with the Software Freedom Law Center, where they admitted not following the provisions of the General Public License after downloading and incorporating Busy Box open source within their own product.  The kicker is that Xterasys agreed to create the post of Open Source Compliance Officer to insure they would not violate the provisions of open source license obligations in the future.

For a software developer, tracking the use of open source is something they should be doing, just as tracking the use of proprietary software is something they should be doing.  Providing that the software developer has a policy on open source licenses (they know the licenses which their organization would accept) the task of tracking what open source is used within the organization is relatively simple.   If desired, Source Auditor provides the means to audit the code and set a baseline inventory, which can then be easily maintained.

IT’s Newest Title: “Open Source Compliance Officer”

Nov 3

There have been a series of lawsuits related to unfulfilled legal obligations from open source licenses over the years. Verizon, for example, was sued by the Software Freedom Law Center on behalf of Busybox, which is a GPL licensed package. The claim was that one of Verizon’s subcontractors used a GPL licensed package in Verizon’s wireless routers, without fulfilling the re-distribution obligations of GPL. This claim was settled when Verizon’s subcontractor agreed to provide its source code free to the public.

Similarly, in recent years there have been similar successful claims against Cisco, Monsoon Multimedia, and Xterasys (see articles in the links section below). In the Cisco/Linksys case, Cisco chose to re-engineer their routers to avoid GPL based re-distribution obligations. Xterasys was settled when Xterasys agreed to pay an undisclosed sum and to meet their GPL re-distribution obligations. The Monsoon Multimedia case is still in litigation.