许可证信息管理

License Information Management - Case Study (Steve Winslow and Kate Stewart, The Linux Foundation): For modern open source software projects, license compliance presupposes that a developer or distributor can determine what licenses are present in a codebase. Managing, locating and maintaining license information for a large open source project is often far more complex than simply posting a single LICENSE.txt file. In this tutorial, Steve Winslow and Kate Stewart will present real-world examples to demonstrate techniques and best practices for identifying applicable licenses, handling license compatibility, and communicating license information to a project's contributors and users.
展开查看详情

1.License Information Management: Zephyr Case Study Kate Stewart & Steve Winslow Linux Foundation

2.Opening Up Your Source Code So you picked a license...

3.Opening Up Your Source Code So you picked a license... Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUC 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of ... LICENSE.txt ...now what? ”Confetti Girl” image by Scout; used under CC0-1.0; https://openclipart.org/detail/232158/confetti-girl

4.Opening Up Your Source Code What licenses are already inside your source code? ”Tin can” image by jhnri4; used under CC0-1.0; https://openclipart.org/detail/194577/tin-can

5.Opening Up Your Source Code What licenses are already inside your source code? (potentially more than you expected) “Worm” image by neo1012; used under CC0-1.0; https://openclipart.org/detail/82867/worm “Inchworm” image by artonymous; used under CC0-1.0; https://openclipart.org/detail/177554/inchworm ”can - coloured” image by frankes; used under CC0-1.0; https://openclipart.org/detail/246208/can-coloured

6.Opening Up Your Source Code An existing code base might contain: • your own code

7.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code

8.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses

9.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses Pencil image by TheUjulala; used under CC0-1.0 https://pixabay.com/en/pencil-pen-orange-red-eraser-190586

10.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements

11.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses “See LICENSE in LICENSE” • nopuzzling (with LICENSE filelicense in repo) statements “Licensed under the Creative Commons Attribution 4.0 International License, titled CC-BY-SA-4.0”

12.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices

13.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses

14.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses “This is free software; you can redistribute it and/or • missing open source licenses modify it under the terms of the BSD License. Use by • puzzling license statements owners of Che Guevarra parafernalia is prohibited, • your where own confidentiality possible, noticeselsewhere.” and highly discouraged • code with snarky licenses

15.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords ”Cles de serrure – lock keys” image by enolynn; used under CC0-1.0 https://openclipart.org/detail/190821/cles-de-serrure-lock-keys

16.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords • code with security vulnerabilities Heartbleed logo image by Synopsys, Inc.; used under CC0-1.0 http://heartbleed.com/

17.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords • code with security vulnerabilities

18.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords • code with security vulnerabilities • dependencies with any of the above

19.Opening Up Your Source Code An existing code base might contain: • your own code • third-party proprietary code • incompatible open source licenses • missing open source licenses • puzzling license statements • your own confidentiality notices • code with snarky licenses • code with secret keys or passwords • code with security vulnerabilities • (sub)dependencies with any of the above

20.Tempting Response: Ignore it Drop in a LICENSE.txt file and declare yourself done

21.License Management General process: • Identify licenses • Address incompatibilities • Address compliance • Communicate licenses

22.License Management General process: • Identify licenses • Address incompatibilities Focusing on these two in this talk • Address compliance (getting these right • Communicate licenses enables meaningful conversations about the other two)

23.License information can be managed! This is not an insurmountable challenge Tackling it benefits projects and benefits the whole ecosystem (and not just by making lawyers happier!) Avoid making “perfect” the enemy of “better” There are gaps in today’s tooling but there is also forward progress

24.Identifying Licenses Goal 1: Determine which licenses are relevant to your project Goal 2: Do so in an automated, scalable way

25.Identifying Licenses Different types of scans: • license scanning • code scanning • dependency scanning

26.Scanning Tools Quick and dirty; no tooling needed Manual searches Look for relevant words / fragments: • “licen” • “redist” grep –nri (or your favorite command line args) • “copyright” • common license fragments: “bsd”, “gpl”, “general public”, Ctrl-F “cddl”, ... (or your favorite editor’s equivalent)

27.Scanning Tools FOSSology is used to scan a codebase for licenses Performs textual analysis and regular expression scanning to identify likely license notices and references Supplemented with manual review to remove false positives and investigate unusual findings

28.Scanning Tools Version 3.3 released in May 2018 Since 3.2 it includes: • SPDX file imports • Obligation analysis and summaries https://www.fossology.org/ https://github.com/fossology/fossology

29.Scanning Tools ScanCode Toolkit From ScanCode’s README: by nexB ScanCode is a suite of utilities used to scan a codebase for license, copyright, package manifests and dependencies and other interesting information that can be discovered in source and binary code files. https://github.com/nexB/scancode-toolkit ScanCode Toolkit screenshot Copyright (c) 2017 nexB Inc. and others; used under Apache-2.0 https://github.com/nexB/scancode-toolkit/blob/develop/samples/screenshot.png