- 快召唤伙伴们来围观吧
- 微博 QQ QQ空间 贴吧
- 文档嵌入链接
- 复制
- 微信扫一扫分享
- 已成功复制到剪贴板
许可证信息管理
展开查看详情
1 .License Information Management: Zephyr Case Study Kate Stewart & Steve Winslow Linux Foundation
2 .Opening Up Your Source Code So you picked a license...
3 .Opening Up Your Source Code So you picked a license... Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUC 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of ... LICENSE.txt ...now what? ”Confetti Girl” image by Scout; used under CC0-1.0; https://openclipart.org/detail/232158/confetti-girl
4 .Opening Up Your Source Code What licenses are already inside your source code? ”Tin can” image by jhnri4; used under CC0-1.0; https://openclipart.org/detail/194577/tin-can
5 .Opening Up Your Source Code What licenses are already inside your source code? (potentially more than you expected) “Worm” image by neo1012; used under CC0-1.0; https://openclipart.org/detail/82867/worm “Inchworm” image by artonymous; used under CC0-1.0; https://openclipart.org/detail/177554/inchworm ”can - coloured” image by frankes; used under CC0-1.0; https://openclipart.org/detail/246208/can-coloured
6 .Opening Up Your Source Code An existing code base might contain: • your own code
7 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code
8 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses
9 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses Pencil image by TheUjulala; used under CC0-1.0 https://pixabay.com/en/pencil-pen-orange-red-eraser-190586
10 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements
11 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses “See LICENSE in LICENSE” • nopuzzling (with LICENSE filelicense in repo) statements “Licensed under the Creative Commons Attribution 4.0 International License, titled CC-BY-SA-4.0”
12 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices
13 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses
14 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses “This is free software; you can redistribute it and/or • missing open source licenses modify it under the terms of the BSD License. Use by • puzzling license statements owners of Che Guevarra parafernalia is prohibited, • your where own confidentiality possible, noticeselsewhere.” and highly discouraged • code with snarky licenses
15 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords ”Cles de serrure – lock keys” image by enolynn; used under CC0-1.0 https://openclipart.org/detail/190821/cles-de-serrure-lock-keys
16 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords • code with security vulnerabilities Heartbleed logo image by Synopsys, Inc.; used under CC0-1.0 http://heartbleed.com/
17 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords • code with security vulnerabilities
18 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords • code with security vulnerabilities • dependencies with any of the above
19 .Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords • code with security vulnerabilities • (sub)dependencies with any of the above
20 .Tempting Response: Ignore it Drop in a LICENSE.txt file and declare yourself done
21 .License Management General process: • Identify licenses • Address incompatibilities • Address compliance • Communicate licenses
22 .License Management General process: • Identify licenses • Address incompatibilities Focusing on these two in this talk • Address compliance (getting these right • Communicate licenses enables meaningful conversations about the other two)
23 .License information can be managed! This is not an insurmountable challenge Tackling it benefits projects and benefits the whole ecosystem (and not just by making lawyers happier!) Avoid making “perfect” the enemy of “better” There are gaps in today’s tooling but there is also forward progress
24 .Identifying Licenses Goal 1: Determine which licenses are relevant to your project Goal 2: Do so in an automated, scalable way
25 .Identifying Licenses Different types of scans: • license scanning • code scanning • dependency scanning
26 .Scanning Tools Quick and dirty; no tooling needed Manual searches Look for relevant words / fragments: • “licen” • “redist” grep –nri (or your favorite command line args) • “copyright” • common license fragments: “bsd”, “gpl”, “general public”, Ctrl-F “cddl”, ... (or your favorite editor’s equivalent)
27 .Scanning Tools FOSSology is used to scan a codebase for licenses Performs textual analysis and regular expression scanning to identify likely license notices and references Supplemented with manual review to remove false positives and investigate unusual findings
28 .Scanning Tools Version 3.3 released in May 2018 Since 3.2 it includes: • SPDX file imports • Obligation analysis and summaries https://www.fossology.org/ https://github.com/fossology/fossology
29 .Scanning Tools ScanCode Toolkit From ScanCode’s README: by nexB ScanCode is a suite of utilities used to scan a codebase for license, copyright, package manifests and dependencies and other interesting information that can be discovered in source and binary code files. https://github.com/nexB/scancode-toolkit ScanCode Toolkit screenshot Copyright (c) 2017 nexB Inc. and others; used under Apache-2.0 https://github.com/nexB/scancode-toolkit/blob/develop/samples/screenshot.png