 Open source and the first speaker is Matthew Garrett who is very involved with the open source community He's done a lot of stuff over the years and he's currently a kernel developer at Red Hat and He has done some work recently at with Android and seeing How good they are with GPL compliance? Okay, everyone here me Great. So as Martin said, my name is Matthew Garrett. I Do not work on anything related to Software licenses for a living. I am not a lawyer. I do not play a lawyer on TV. I do not play a lawyer on the Internet Everything that I say here should not be construed as legal advice Rather, I am presenting this from the perspective of somebody involved in as a copyright holder attempting to encourage companies to do the right thing so To start with Obviously, you're here. You're at an open source conference. You presumably have some belief that using open source software is going to enhance your business in some way and open source Software is a wonderful resource for businesses. You have a wide range of software that is available for commercial use There is no piece of software released under a valid open source license that Has restrictions on what it may be used for there is no open source software that says It may not be sold for profit or it may not be used for certain types of devices. So Practically speaking, you want to use open source software. You can not a problem Most open source software is not particularly restrictive in terms of trademark use There's a few exceptions but in most cases if you have a piece of open source software you are welcome to Use the name of that software on your packaging you're entitled to indicate that you're including it so if you want to Use Linux usually that's fine You just say products contains Linux and then you mentioned that it's trademark of Linus Torvalds and that's the entirety of the Obligation you have it's kind of difficult to find something that is cheaper than free For some reason capitalism doesn't seem to have ended up working in the way where people pay you to sell their software without You can even have something in return so realistically free is the best you're going to get and finally If you're basing your product on proprietary software you have the fundamental restriction that if it does not do Exactly what you want it to do you're very strongly limited in terms of who you can go to to get It modifies to suit your needs Not a problem with open source software There's a huge range of small contracts and companies large contracts and companies Even the original authors who will be there and will happily take your money and Change the software to be perfectly suited for the requirements that you have so There's no obvious reason To choose proprietary software over open source software assuming there is piece of open source software that matches your requirements But something that many businesses forget when they see that they can use open source software Where they can take advantage of open source software is that open source software is not in the public domain in general The material you are using is owned by somebody it is under copyright It is provided to you under a license in much the same way as windows will be provided to you under a license There are certain obligations you must meet There's two broad categories of open source license There is the copy left license and this is exemplified most famously by the GPL or the LGPL although the CDDL Which Sun use is also an example Copy left licenses have some requirements that you provide the source code to the original work When you provide a mod when you provide a product You must provide the original work or an offer to provide the original the source codes the original work Contrasting with that there are permissive licenses permissive licenses may still have some restrictions, but There's no requirement to redistribute the source and there's a fairly small number of licenses that cover the vast majority Of open source software that you'll see there's the GPL and the LGPL There's the BSD style license, which is there's also the MIT license, which is effectively equivalent to the BSD one There's the Apache software license the CDDL, which is primarily used by Sun and the MPL Which is very similar to the CDDL and is primarily used by Mozilla If you are basing a product on a piece of software under an open source license It is vital that you be aware of the restrictions imposed by that license The restrictions vary quite broadly as I said a BSD style license typically has no more Requirements than that you include a copyright notice and a disclaimer in the products documentation This is usually interpreted to mean In general you can have this in an about screen somewhere on the device itself if it's a user-visible device Otherwise it should just be printed in documentation That's really not a problem old-style BSD licenses So called the four clause BSD license also has a stipulation that the product the original codes and original author must be mentioned in any Advertising there's very little software now used under that license. So typically that's not an issue Codes under the LGPL Originally called the library GPL now renamed the lesser GPL Requires that you provide the source code for the LGPL component only so Typically LGPL codes that you see will be in the form of a library. It is permissible for you to build closed proprietary applications on top of LGPL code and The only source you're obliged to provide is for the LGPL component if you've modified the LGPL component You must provide the modified source, but otherwise it's not a problem You can just provide the original source again. That's the end of your responsibility GPL's code is sorry Okay, strictly speaking the LGPL also requires that it be possible to replace the LGPL component with a another version of the LGPL component as modified by a downstream recipient Assuming that You're providing it in the form of a dynamically lent application. That's not usually a problem Because while the user may modify it, they're obviously going to have to keep the ABI the same Otherwise strictly speaking you may be required to provide the object code of your application in order to allow the user to relink that Practically speaking, I don't think I've ever seen anybody follow the requirements in this way And I've never seen anybody complain about it So the LGPL is slightly more restrictive than I mentioned here in the real world is probably not something you have to worry about GPL code requires that you provide the source code including any modifications you've made to the GPL components, but also to any derived works So if you take some GPL code and include it as part of a larger work I'm going to say derived work This is derived in the legal sense as opposed to any Mechanical testing that can be performed. So if you want to know whether it's a derived work or not ask a lawyer You'll probably then end up having to ask a judge and possibly ask another judge And then there may be another judge involved depending on your local legal system but If you include a GPL component as part of your work Then you may be required to provide the source code to the other derived components When I say you must be you may be required to provide the source code I'm talking about GPL v2 here GPL v3 has some slightly different requirements, but they're pretty much the same I'm talking about GPL v2 because it's a simpler license and it's the one I'm more familiar with Section 3 of GPL v2 is the relevant section of the license here It provides three mechanisms by which you can distribute source code The first requires that the source accompanied the binary So if you're shipping a physical product that would mean that you ship a CD or some other physical medium Contained the source with the product. That's usually not practical. I'm sorry However, if you're providing it as a downloadable binary Rather than the physical product then it's generally Felt that it's acceptable for you to provide the source code as a download option as well The user may or may not avail themselves of the source code They're not required to download it when they download the binary. You don't have to give them source code 3b is the one that the majority of physical objects using GPL code are Nominally shipped under it requires there's a written offer to provide the source on request to be included with the device There's some arguments about whether the written offer has to be on a sheet of paper or whether including it in a screen on the device is okay Again, it's one of those things where assuming that you're trying to be compliant is probably not a problem There are two generally accepted ways of handling 3b distribution the first is that you simply Include in the written offer a link to a download site where the source can be obtained the other is that You may request that the recipient ask you for a copy of the source code on a Medium customarily used for software interchange, so like a CD or something you are permitted to charge for that provided that the charge matches the cost to you of providing the source code 3c doesn't apply to commercial distribution. This is a business session. I'm assuming you're engaging commercial distribution If you're not 3c is just the case where if you receive something under 3b you can distribute it to somebody else and pass on the written offer and That's your obligation dealt with the written offer applies to the original distributor not to you The LGPL source distribution requirements are pretty much the same Functionally speaking the main difference for GPL v3 is that it states how long the source code must be available and It states that the source code must be provided within 30 days GPL v2 doesn't include a statement of how long you have to provide the source code HTC as an example have been using this as an excuse to refuse to provide the source code until 90 to 120 days after They receive the request If you want to try that Again, you probably want to speak to a lawyer It's very easy again to feel that if you're just buying a product from somewhere else and then redistributing that that You're not involved that you don't have any obligations under the GPL the GPL makes it clear that the distributor is The one with the responsibility not just the original manufacturer If you purchase something from a manufacturer and then you resell it If the original manufacturer didn't give you the source code you have a problem because a user may request the source code from you If you don't have that source code You can't follow through with the obligations under the license so, yeah Try not to get into situations where it's impossible for you to satisfy the license It's not a good position to be in Combiance should be a pretty straightforward thing for BSD style licenses. All you need to care about is keeping track of which BSD type Projects have been included Make sure that you have the appropriate copyright notices and disclaimers and then put them somewhere on the device or in the documentation easy LGPL and GPL you must have the appropriate source code and also you must have a means of Distributing the source code The source code clearly exists because otherwise the bindaries couldn't exist. So We should not get into a situation where we feel it's reasonable to argue that. Oh, well, we have bindaries We have no idea where the source code is If somebody's given you the bindaries, they should have the source code Which means if you're going to a third-party manufacturer if you're asking them to produce something for you You must know what you're getting you must know what components they have used in producing that device and In the case of it using any GPLs or LGPL material you must ensure that they have provided you with the appropriate source code and There are some good reasons why you should really care about this The license is the only thing that grants you the right to redistribute if the license has not given you that grant then any distribution is subject to normal copyright law and Unless you're in a jurisdiction which recognizes fair use and unless you can justifiably argue that your distribution is fair use and If you're selling something it's probably not fair use. That's copyright infringement. That is Legally equivalent to you including pirated material and And In most jurisdictions The same penalties apply if you're selling a product that contains own source code and you are not adhering to the license That is commercial copyright infringement. That is typically a criminal act rather than a civil one It usually results in large fines. It can under certain circumstances result in jail time Obviously, this is somewhat jurisdiction dependent in terms of open source licenses and adherence to them copyright holders are Coming increasingly litigates in my experience if you go back ten years You could find multiple statements that the GPL had never been tested in court Nobody had attempted to assert their rights as a copyright holder against a distributor If you ask the same question now the GPL has been upheld in court multiple times in multiple jurisdictions Cases have been settled for large amounts of money. One of the most recent ones in the US company called Westinghouse who are Only in name related to the company that makes nuclear reactors produced home electronics and TV sets their TV sets ran Linux and Also included busy box Busy box is a Multi-purpose user space tool you ship it as a shell and also a bunch of other applications. It's very small It's very useful for embedded purposes. So a lot of people use it the copyright holders of busy box are At this point openly stating that they will Engage in legal action if they are unable to get a satisfactory response to license violations Westinghouse ended up losing the court case To be fair a Westinghouse partly ends up losing the court case because they had run out of money and stopped paying their lawyers So the lawyers didn't turn up However, the judge agreed there was a case and therefore awarded significant damages against Westinghouse and also Asserted that all remaining stock would be confiscated and given to charity in lieu of the damages being obtained So apparently a loss of orphanages and hospitals ends up with nice new televisions The nutshell version is that if you can't comply with the licenses There is a significant chance that your ability to operate as an ongoing business may be Impaired As in it's difficult to be a business if you have no money and no stock and you're in jail So giving a brief case study Androids you've presumably all heard of androids. It's a Linux derived platform for mobile devices primarily phones, but increasingly tablets It's based on the Linux kernel, which is released under version two of the GPL It's a few small components of traditional Linux user space code most of which is under gplv2 the lgplv2 or BSD code and an entirely new user space written by Google on top of that Which is released under the Apache public source license version 2 So the significant part of this is the Apache 2 code. You are not required to provide the source code So Android vendors can modify the Apache license code as much as they want They are under no obligation to provide the source code to anyone even Google The Android source tree is an example of a source tree that has been designed to Make it easy for vendors to identify their license obligations each component in the Android tree is Separately labeled in a predictable way with the license that the source code is under More to the point all the appropriate copyright notices are already available there You just need to put them on your device and everything's fine So it should be very very straightforward for anybody building an Android device to know what they have to do recently Apple released a product called the iPad the joke is that after Apple Managed to destroy a large chunk of Finland's economy by releasing the iPhone and Taking Nokia as the market to a certain extent the iPad has then destroyed Nokia's paper industry. Sorry Finland's paper industry It's not my joke. It also you really need to know some Finnish people for it to be funny There are a lot of vendors now producing Cheap arm system on chip designs some of them you've heard of The IA have a subsidiary called one to media who are doing it some of them. You probably haven't telly chips For instance, I had never heard of until I saw one of their devices Rockship It seems like a ridiculous name for a company, but they produce an arm system on chip There are easily available reference designs you can buy or copy in Practical terms a board design which will make use of easily available parts glue those together put on the reference implementation of androids that the vendor supplies and build a Functioning tablet and we see functioning. I mean that in a kind of loose way That will be sold wholesale for well under a hundred dollars and Fight that you can see these tablets being sold in quantities of one on eBay for in the region of 80 to 90 dollars now Should give you an idea of just how cheaply they can be made a Lot of companies have taken advantage of this because they want to get into the tablet market They see these as something that they can buy and then rebrand and then sell into their brand name We're increasingly seeing this happen in supermarkets and high street stores around the world a lot of companies with Traditionally no interest at all in selling electronic devices are now selling rebranded Android tablets so in terms of the market I Did some research I identified a list of over a hundred fifty Android tablets Many of these tablets are in fact the same physical device rebranded by multiple companies Some of them are almost identical devices that have been Cloned and a couple of parts swapped. It's difficult to say where one stops and one begins Some devices sold under the same name are in fact completely different devices. It's an utter mess But out of over a hundred and fifty of them I was able to verify via a large number of means that fewer than 20 Were roughly in compliance and when I say roughly in compliance what I mean is the source code was available in many cases where the Source code was available. No written offer was made with the product All the other devices no written offer no source code availability. The source code is not shipped with the device The real situation is worse when I say I got a list of over a hundred and fifty. There's a lot more of these so I landed in Australia on Saturday. I then spent a while sitting in Sydney airport, which is not a very exciting place and Then I got on the plane and I got to Brisbane, which is a beautiful city and any of you who live here I'm somewhat jealous Also back home. It's currently there's about a foot and a half of snow on the ground. I Walked into a store in order to buy a SIM card from my phone and this was literally the first store I walked into in Australia. There was an Android tablet for sale It uh, it looks like this It was a hundred eighty eight dollars, which is a ridiculous amount of money for this device $188 if anybody would like to fund my note, it's okay. I Will be attempting to return it tomorrow I think so Purchased it opened it There is a small pamphlet included The small pamphlet includes such helpful information as Yeah, yeah Battery charging Has an internal charging battery. We suggest to charge up the battery when the battery power is low It does not include an offer for source code. So okay Android devices typically have some legal information on them which usually includes the License notices so after a lot of trouble I managed to work out where the settings menu was hidden and Then I went down to a bound device and then I selected legal information And then there's an option saying open source licenses and I tapped open source licenses and a few seconds later A box popped up saying there was a problem loading the licenses a Closer examination of the device revealed that there is a file in slash ETC called notices dot HTML dot GZ Which is the standard Android? Licenses file that from the size it looks like it was unmodified from the stock one. However It was corrupt GZIP was unable to decompress it so really Kind of a lot of evidence that the vendor did not hit much care and attention into ensuring that they satisfy the license conditions There is no mention of GPL on the vendor website There is no source code downloadable from the vendor in further hilarious news the side of the box says VIA 8505 CPU up to 533 megahertz when they say up to 533 megahertz That's the kind of interesting use of English because it runs at 350 and it doesn't go any faster The data sheet for the system on ship concern states that it runs at 300 so it's already overclocked Anyway, this device The first device of its type that I saw in this country Isn't complied to a first approximation any Android tablets you buy is statistically going to be Non-compliant in terms of other devices available on the open market in Australia the ones I've seen are the Telstra t-touch, which Was non-compliant but has since been brought into compliance in terms of the source being available the device itself still doesn't include a written offer and Also opt us have a ZTE based Manufactured tablet same situation there again. They're written off for now source codes available Going back in time Barnes and Noble which is a bookstore in America released an e-reader to compete with the Amazon Kindle in December Oh nine some Android Drive platform The documentation Doing much better than the majority of companies here the documentation indicated that the source code could be made available on request So I called up technical support and since my device has arrived I asked them if they could provide me with source code and They said well just let me look into that and then they went away for a while And then they asked me where in the documentation it said this and then they went away for a while And then they said absolutely we'll take your address and we'll send you the source code great time past Some more time past I called technical support several more times And they said that eventually they admitted that they didn't have any idea where the source code was And didn't really have a timeline because they didn't have any idea where the source code was at this point At that point we're talking about approximately two months at this point At this point I got kind of bored especially because they had released a firmware update And so clearly somebody was still building this code. I extracted the kernel I Looked through for identifying traits. I discovered the build string Which is embedded into the kernel by the Santa Lawrence build process Which gives you the machine name that the car was built on and the username on That machine I was able from this to identify a contracting company in Vancouver, Canada and An individual and a phone number It turns out that LinkedIn makes this kind of thing a lot easier than it was in the past So after a short phone conversation with a somewhat bewildered individual I Was then referred to the Barnes and Noble vice president in charge of Android whose Assistant was very concerned about the fact that I was using words like lawsuit and criminal liability and Suddenly the source code appeared now admittedly the source codes that originally appeared Contained large chunks of code that were marked proprietary property of Samsung not to be distributed And also it was the wrong source code But about a week later they got that sorted out The nut color was released exactly the same situation Written offer in the documentation no source available Contacted the same person again and within a week the source was available. So much better I didn't have to talk about how they were going to be selling the company to pay at all So Well, yes So in terms of lessons and learn from that the first thing is that if you have paid even lip service to your obligations under license then I Was much less obsessed about the entire situation purely because the documentation indicated that they had at least considered Their obligations However, if you say the source code will be made available on request and then you can't provide the source code Admittedly, I'm not going to think you're evil. I'm just going to think you're incompetent and that it seems to be a rational response to that kind of thing The main problem is that resolving the situation is Surprisingly difficult because it is incredibly hard to speak to anybody with the authority To do anything about the situation Frontline technical support are really bad at dealing with this Firstly because they generally haven't been briefed on what you're supposed to be doing Further, there's no real chance that they understand what the GPL is less alone. What source code is They're also generally not in a position to pass concerns up the management chain in a way that results in a situation being addressed properly so if you're a vendor The first thing you have to be sure of is What you're shipping now? I suspect here that pioneer computers who are apparently unrelated to pioneer electronics who produce things you've heard of Instead pioneer computers are an Australian company who produce relabels cheap laptops. I Suspect they have no real idea about any legal obligations at all the majority of the time companies are unenthusiastic about entering into Situations where they are potentially criminally liable so yeah commercial copyright infringement is in many jurisdictions especially with certainly in America and in Countries adopting treaties with America that then encourage American style copyright law for instance I believe commercial copyright infringement became a criminal offense in the United Kingdom in the late 80s early 90s Absolutely, yeah, so right you do need there to be a prosecutor So realistically, it's probably not going to result in a criminal case as it could So, you know companies generally are too enthusiastic about doing that kind of thing voluntarily. So it the rational Supposition is that generally they just have no idea what they're doing so You really pay attention if somebody was selling you something which includes a copy of windows Then you would probably want to check with the vendor that it was actually a licensed copy of windows If you're being sold a device running Linux, it is your responsibility to ensure that You can follow through the license obligations So that includes having the source before you ship the device If you have the source and then you ship the device You know you can satisfy the license if you ship the device and your vendor says, oh sure. We'll have the source code for you next week You may not actually get the source and then I might accidentally buy one of your devices and Then things may end up going downhill But if you are aware that you're shipping something under an open source license and if you have put some infrastructure in place in order to satisfy those licenses Make it possible for people to contact you in order to inform you that there is an issue with the source code you're shipping It's much better to be able to be contacted by email by somebody saying excuse me I think there's a problem rather than get a letter informing you that you're about to be sued and If you have a compliance contact, that's not necessarily something that has to be published But make sure that support can refer stuff to them That information it needs to be possible for people to make the compliance contact aware of the issue So while I do keep joking about lawsuits, I have not actually at any point Threatened to sue any vendor. I have not started any legal action against any vendor for the most part I have been fairly successful in obtaining the source codes to products that Have been released in some cases. This has been done by emailing people and then they've realized that this is a problem They've dealt with it in some cases. I've gone to visit the office of the company and that's kind of entertaining Fundamentally the reason people release products The reason people release code under licenses like the GPL is that they want the source codes to be available They're not doing it to make money so if I see a product Running Linux and without source code being available without the source code being available. My first priority is obtaining the source code It's not in anybody's interests to Engage in a long drawn-out court battle that makes Linux a less attractive option to custom her to vendors So legal actions very much the last resort and it's even less likely To occur at all if it's possible for people to raise concerns and have them addressed by somebody who actually has the authority to deal with that So when this happened did the company provide me with source code or did they make it publicly available? I think there is one case where I was provided the source code and then I made that's available for anybody else who was interested Because while strictly speaking everybody else should be able to get the code from them as well Once the code is available, I Don't care anymore. The majority people don't care anymore as long as you can get the source easily Presently speaking It's fine other cases. They've made it available on download site So I'm saying if it's easy for people to raise their concerns If it's easy for people to feel like you accept that this is a problem and that you are working to resolve the problem The chances of it actually turning into legal action less alone bad PR are pretty close to zero Terms of further information the Linux Foundation have something called the open compliance program. You can There's no carriage return in there Obviously, but if you visit there then they have a program They have various tools available for you to audit the software you're shipping to help identify whether it contains any open source components If so, what obligations you have they also have an Initiative where you can provide a compliance contact Which will then not be made publicly available the loans foundation will then put people in touch with you So for instance, if there's a vendor registered with the Lens Foundation, I can go to Lens Foundation I can say I have concerns about this product. Can this be passed on and then They'll get back to me So that's great. You don't need to put Real people's email addresses in the public internet. You can make sure that the Lens Foundation will just pass this on no judgments We made everything will be fine So, um, that is everything I wanted to say got a few minutes if anybody has any further questions Oh, I'm sorry You talk about making the source code available say downloading on a website Is it say if you haven't modified the source code say it's exactly as upstream is provided Is it say acceptable to say link to the upstream source say kernel.org for the actual kernel use give the sha one some of the File and just say check that it matches this. Okay. Um, that's a good question The three software foundations position on this is no, that's not sufficient It is as with many positions the free software foundation hold on the GPL It's not entirely clear to everybody that this is absolutely true However, the main problem with linking to a third-party site is that there is the risk that if that third-party stops providing it You may still have the obligation to provide it And that obligation lasts up to if you're distributing under section 3b That obligation exists up to three years after you cease distributing the binaries so Realistically, it's unlikely that kernel logs going to vanish So it's probably fine however, say if you were distributing a variant of Ubuntu then There is no guarantee that canonical will keep I think in the past It's been the case that old binaries may eventually be reaped and no longer available and source codes as well Since the general position then is that it's being distributed under 3a rather than 3b so Check it out before you do it It's safer to distribute it yourself if you're worried about cost then as I said you can do us under 3b You can ask the people right to you to request it and send you an amount of money that covers you burning a CD of it Whatever Anymore pretty much focused on you know if you're shipping something with a device What's could you clarify the situation if you've done website development? So essentially the code modification is sitting on a server somewhere. Okay, and the GPL and The LGPL only come into play if you distribute If you are running something purely server-signed You're not distributing There is an argument potentially if it's javascript then it's ending up at the person's On the client maybe in that case, but if it's javascript then that is the source code unless you've obfuscated it Right, okay, so there may be cases where JavaScript style stuff could get you into trouble there is another version There was a license based on the GPL called the Afro GPL or a GPL which states that if you're using a piece of Software that has embedded in it a download link you must Maintain that and it must point to the source code that you're running not the original version Adoption of a GPL software has not been particularly high It's unlikely that you'll hit it so from a GPL perspective, it's not really a concern Again, not the advice consult appropriate lawyers blah blah anyone else Oh Yeah