 So, let's start. This is a talk about a not-so-technical topic. This is about legal aspects, mostly focusing on licensing and our daily due diligence jobs. Myself, I'm Jürgen Weigert. I'm a member of the tools team and also of the, yeah, of the legal, Susie legal review team, which is not an official team. It never was formed to be there. It just happened to be me and two, one internal and one external attorneys that consult with us to resolve some things. So, yeah, first of all, I give you a short overview of what I will talk about. I'll have it in a few sections. To begin with, I'll present the basic concepts that we talk about. This is patents, trademarks, copyright issues, and for all of these, the respective licenses to know what can be done. Then a little bit more insights in the details of some licenses that I chose to present here. Maybe some fun in there or not. And then I have to talk a little bit about what is our background here and why we even have, why we all have to care about licensing in a perfect world. Yeah, we just would use free software as it is and distribute something but as a big company and they have to be prepared for some other attorneys coming their way and asking what they think. And finally, I'll give you a short tour. It's very superficial only a short tour about how we do our review work. And we'll ask you for your participation wherever we want to get involved with the community. First of all, there's one catchphrase that tries to sum up all the different aspects of, yeah, the catchphrase is intellectual property, which is more or less an illusion, seductive mirage says Richard Storman. It does not really help to sum that up in one word. So I would like to give you here some, yeah, plain English definitions what these different aspects mean. This comes directly from our head vice president of legal corporate novel. He was so friendly to use understandable words and not the usual legal speak for that. So a patent tries to cover new useful and non obvious inventions. It tries to cover the idea behind such invention, not specific way to write it down. This is what a copyright is all about. A copyright tries to cover the text, the textual representation or the implementation, how such an idea is then expressed or written down. And yeah, it's only relevant for big companies probably. It's not relevant at all for our behalf. There are trade secrets, things that the company does not want to share. So yeah, I'll use that as an excuse from time to time, not to talk with you because we have some trade secrets. And these need to be confidential because that's part of what Novel pays us to build something that is worth some money so that we get paid for that. And I respect that too. And the last thing, and this is some good point to start with is, is trademarks. Trademarks are everywhere. If you look at my t-shirt, there's a little green animal here and this color green also has some information that tells you this is Susie here. And there's a, where is it? Novel, the word down there. There's also some information. So a trademark is a word or a symbol that identifies and distinguishes some goods, be they material or just software, some goods or services from, yeah, their competitors and from other similar goods or services. That's a slide. I, yeah, I show that to you. It's a bit scary here again from our corporate legal person. He says these things have, give you basic rights. And then he says what these things also define are the remedies, which is the damages and injunctions that may happen. So that's, that's typical for, for a lawyer person to use some strange word. Actually, he's talking about rights, but he explains what a right is. A right prevents something. That's, that's a bit scary. A right should not prevent something. What is meant that you have the right to say that others should not do this or that? That's what copyright is all about, you know? I have the copyright on my own software, so I can say don't use it. It's mine. And actually copyright is more defaults to it's mine and I have to give you a permission to use that. So that's what he means by that. So beware of the way lawyers speak. They try to use words or they try to use strange words that you don't know. So yeah, they have their own language and a bit encoded. That's also where my team comes into the, into the image. We translate or try to translate into understandable or more understandable English. Now I promise to start with trademarks. Here's a little collection of trademarks. Yeah, my legal counsel, especially my German legal counsel was a bit scared when I told him I will show this to some public audience and have it taped and recorded because some of these trademarks, well, they should not appear. It says examples found in open source software, but some of them really should not appear in open source software. For example, what has little Scooby Doo, which is from Warner Brothers and is a trademark, what has that to do in a software package? Probably nothing. And much more is a problem Pikachu or that little guy from Procter and Gamble, Mr. Clean. These were found at a certain time in past in software packages. Some of them can stay around. Some of them are really okay. For example, the Firefox logo. We have an agreement with Mozilla foundation to use the Firefox logo on a Susan product. So that's okay. They approve that. And some others are just historic things like we have a Sun Microsystem Star Division logos. And yeah, you guess what software that was? Probably open office. I won't go into the details for the others. And from time to time we find little things like that, which is just a few pixels, but the colors there, they give a hint that the Windows logo is meant by that. So yeah, you cannot avoid trademarks. The Windows logo is a trademark of Microsoft, of course, but you cannot avoid these things. So from time to time it's okay to use them. The trick is each company has a very specific way to define or have guidelines how these trademarks can be used. And the trick is a trademark gets diluted. It gets watered down. It gets useless over time if it is not properly defended. A current in-house example is what we did with the open Susan community.org website. We asked them to make, none of them here right now, we asked them to make the website not green and not feature a Susan logo, but make it blue and make some other adjustments just to be on the safe side that our in-house novel counsel don't say, hey, we have a trademark on this, we have to sue these guys. Now recently, Songo correct me if I'm wrong with that, we started on our new trademark guidelines. And I assume we are pretty safe that if these guys want to come back and want to use a Susan trademark on their website, I guess we can possibly approve that. This should be part of our trademark policy, right? I can hand you the microphone. So the policy and draft form right now, I think they would be able to use it. We're still going back and forth and trying. What we really want to get to is a policy where existing community projects, things like openSUSA community.org, the open SUSA live CD, the KDE 35 live CD and things like that, we want to get to a policy where those, the way they're using the trademark now is considered okay. But we also need to make sure that we're not giving too broad a permission. So I just sent, or well, we've just had a discussion on a draft and should be very close to finishing the first draft. And this should be seen as an evolving document too. This isn't going to be, when we put it out, it's not going to be finished completely. So our intention is not to shoo away people who are on our side, who are helpful to our projects. We just had to do that in the first step to be legally on a safe side. And then we make our guidelines and invite them in to join as far as possible. Right, because the other thing is there's been a lot of confusion so far. And so the other thing, and we will give exemptions on occasion. Yeah, that's a good news. Okay, thank you. So the next topic I'd like to talk about is licenses and show you a few aspects, what kind of licenses we have. The usual thing you see in a file in any cross-court file is it starts with a copyright notice, which is by itself not a license. It is, yeah, what does it tell us? It tells us there are some people involved or some entities involved. This is my email address. It's not even a proper name, but it happens that you find just an email address there and novel ink means probably, yeah, one of these two or both are copyright holders. And then it says all rights reserved. So you know, okay, these two, they own all the rights in that software. So this is definitely not enough for using such software and open source project. You need to have permissions. And as I already said, as soon as the copyright is here, the default is, even if it's not stated explicitly here, the default is that, yeah, non-free. You have to ask these individuals or entities listed in the copyright header what can be done. And the best approach is that the copyright owner needs to declare what exactly he wants us to do with his software. For that, we have a few possibilities, how this could be done. I just browsed quickly over, I guess this is a fairly common knowledge, how this could happen. The first thing is he can try to actually do this claim, his copyright on his software, which means it becomes public domain. And the other options is, of course, draft a license for that and explicitly tell or simply adopt an existing license, like GPL or BST licenses. So for the first one simple example, and not so simple example, because yeah, copyright law does not apply universally on all in the world. For example, in Germany, we don't have such a concept as copyright in a strict sense. We have our Urheberrecht, which is a bit a similar concept. So if I say my name here and I'm German, I, Jürgen Weiger, the creator of this work, hereby release this work into the public domain. I say that and stop here. It may have actually no effect because either the concept copyright just does not apply and nothing happens or a lawyer would say, yeah, he tried to, but he cannot release that. Even if we do it in an indirect sense, what could he have meant being in German, he has no copyright, he has this Urheberrecht, what could he have meant, he could try to get rid of all these rights, but this is not possible in Germany. It happens a few years after I die automatically, but not when I say so. So that's different. So the best thing I can do is I say, I want in the case that this is not legally possible to get as close as possible, unless some conditions are required by law. I try to get rid of any right that I have and try to express that I mean exactly what in other countries public domain would be. So a simple concept, but still not that easy due to local law. The other option is, yeah, draft an own license. And the simple answer is, don't do it, please. It's not easy to draft a license. Today, licenses tend to get longer and longer and more complex. If I compare GPL version two and GPL version three, it's a horror to read these things and to really understand them. So yeah, novel has some involvement there too, and some of the conditions are really tricky to read and understand. So it's basically a compromise from what we wanted, what others wanted. A lot of people tried to mess around with that license, and yeah, finally, something came there. But yeah, for an individual software developer, don't even try that. Same as if you take a license that already exists, like GPL is a very good example for that too, and try to add something to the GPL, a further restriction or something, then you should not do that. Sankar, do you still have that microphone? No, nor do I. What about a list of preferred licenses? Yes, novel has a list of preferred licenses. They are few on the internal website, in the inner web of novel. But as far as I know, we don't have anything up there on the open through the build service. It may be the open through the policy includes some preferred licenses. I'll talk about the policy in a minute, but it's not a direct list of preferred, not so good, and disallowed licenses. It gets as close as possible. Yeah, so the message here is, choose from the existing license pool. Don't draft your own. The free software foundation has a range of licenses. The OZ, the Creative Commons website lists them. Choose from these. And to give you just an impression of what happens, we already have 500 different licenses in our database and have to deal with them on a day-to-day basis. Please don't try to add any more to that. These are derivatives of, yeah, let's say roughly 550 licenses that are really distinct licenses, and then some modifications to make this total number, which is a bit scary. Okay, here's an example of an existing license. One of my favorites, because it's so short and so distinct. Pool Henning Kamp says, do whatever you want. And if you like that thing, that stuff, you can buy me a beer. That's a nice license. So, yeah, it's very close to the public domain thing. But yeah, what do you think? Is this a sufficient license? Is that good? Difficult to say. Yeah, at least the free software foundation says it's a valid license. It may not be really a good choice for some things. For example, it's not really clear. He says, if we meet someday and you think this stuff is worth it, I know a lot of software from which I definitely think it's worth it to buy someone a beer. So, if this is all true, I think that, and I meet this Paul Henning Kamp, is that an obligation for me to buy him a beer? I mean, it's inside his license text. So, what is inside license text? You can buy me, but this is can and please and may is nothing that has a legal concept. No, the other way around. If it's mentioned here, it means you should buy me a beer. Lawyers are not that into the English language. They try to make the strongest claim of anything that is written there, even if it's had some vague language. They try to be on that, does that mean one should or even one must imply if all these conditions? So, this is a bit scary. Actually, the case was brought up by one of our downstreams. I guess it was IBM in the past when they said, we don't want to buy someone a beer just in case he shows up. And what is that concept? We are a company. We are not a person. Should a company buy a beer for someone? Strange concept. So, yeah, they could. Yeah, if they just... If, yeah, that would be a cool manager saying, if you ever show up here, we invite you to a beer. But the lawyer at IBM there was not that cool and he said, oh, dangerous. Whenever he shows up, we need to, hey, he shows up 10 times a day or what? No, rather not. So, the other problem is this license is incomplete. There's some very substantial thing lacking on that license. Because he grants some rights, but he tries not to protect himself. There is, yeah, there's some countries where you can put your cat in the microwave oven and then sue the vendor of the microwave oven for some problems with your cat afterwards. So, if that should happen with software from Pulhan in camp, say he writes the control software for the microwave, yeah, do whatever you want with that stuff. I mean, I grilled my cat. Now it has troubles. One could try to sue whatever you want. It includes suing himself. So, it's a bit scary. So, there's another license for the fun part of it that I want to show you to. It's actually used in a library called Lib Kaka, not Lib RR, but Lib Kaka. It has this strange icon, a heap of something. I don't want to read this license to you because there are swear words in them and also one of our downstream company partners said, we can never accept such a license with such rude words in that because this will be part of the official documentation of our software, right? And official documents of our company never include this or this or this, these words. So, they had a problem with this license and asked us to change the license. So, what we did, we didn't even ask upstream. Yes, there's his name somewhere. Sam, what's his name? Sam. We didn't even ask him. We just applied the license that, hey, you just do what you want. Yeah, so let's change the license. That's easy. This license explicitly allows me to distribute verbatim or modified copies of the license text. That's great. So, what we just did, we deleted a few words and said, uh-huh, we receive that from upstream and downstream, we give that under modified license. And we asked him afterwards and, yeah, he said, that's perfect. Do that. So, that's the way to work with licenses. Talk, usually it's not that easy as that, but talk with the upstreams, talk with the downstreams and get something solved. Now, with addition to that license here, which is a bit on the funny side, he did something very clever down that, that paragraph. I don't know if you can read that. The most important sentence is, this software is free software. This program is free software. It comes without any warranty to the extent permitted by applicable law. So, that's the most important thing in that license. Have your warranty disclaimer down there so that in case local law gives you a choice to say, no, no, if your cat has problems after the microwave session and you want to step aside and don't take the warranty, in case the law allows you to step aside and don't take the warranty, then do it, step aside. So, in case it's allowed to say, no, no, it's your fault if something happens, I want to say it's fault of the end user, if something happens here. Another question in the back? Tom? So, did you change the license only the paid SUSE or also an open SUSE? Also an open SUSE, because we don't want to have too many different licenses around. We try to have a common code stream where everything comes from. And I think it doesn't do any harm if we change it in open SUSE too. Actually, we asked him and he was fine with the change. So, we changed it everywhere. And I'd recommend to all the other distributors to also do such a change if you want to avoid swear words. Another question? Carnal source has a few nice comments there too, yeah. But I think it's not really inside the license text, it's just in the comments. There was another question? I'd like to ask there, is there a danger with those two permissive licenses that, for example, I can take the source code and change the name of the author and then I can say, well, he didn't write this, I wrote it. So, how does the license help? This doesn't happen. This is a danger with the two permissive actually with his license and I think with the previous license too, I can do what I want with that. So, if I want to, if I change the name and claim, it was my code. Yes, exactly. Not his. Yes. It is allowed by that license. Good point. Okay. So, this one is good. This one is good. So, the notice needs to stay and I can add something. So, in that case, we are fine. But in the other case here, you're not. We're not. So, we could change the license completely and say, hey, I just invented that. Yes. It's my own. So, yeah, that's a two permissive license. It does not protect the original author and it is not very helpful for us because who do we contact if the software has a bug? Maybe the name never shows up again. So, this is a good point to see who wrote that code. Okay. Some more questions? Yes. It's not really a question, but I just find it ironic for this particular license to do what the fuck you want. Because I think Sam did it in a reaction to all the assholes that are brought by all these intellectual property laws. And because he's someone who really knows very well the free software licenses. He was a former DPL. And he did that in a reaction to all this kind of stuff. And what you are doing is just, you're taking it back in a proper form for lawyers. Exactly. That's what you're trying to do. So, we accept that some authors do not know how to write a license and we try to help them make it a little bit better. That's one of the main reasons we contact the upstream author too. We could do that on our own and never talk to anybody. But we want to let him know, hey, your swear words here are not really good. If you like, change it. But he says, no, I actually like that. You can look up his website here. He has some good rationally on that website where he explains why this is a license he likes. So, he was fined that case and didn't want to learn. He was first. Okay. So, what happens to this license if that website... I cannot hear you. If this website mentioned in the end of the license, if it becomes unavailable in a few years, does it somehow devaluate this license? I evaluated that and it is still valid as of today. But yes, this might happen. So, it's not... That's one other general concept of licenses. Do not try to have references in the license where you point outside. Everything that you need to say, say it in this text itself. And do not say, I have a statement here, a statement here and the rest you can read on my website. That's not a good thing. Because then... Exactly. You looked it up. It is identical. So, in that case, there's no additional information here. It's exactly a duplicate. So, in that case, it's really fine to have a reference to a website. But yes, that's a valid point. One should not use references to include additional information or additional restrictions. So, they might go away and then the restriction is lost and people do things yet they never intended. Okay. One question more. I'd like to continue because I guess I'm running out of time then. Yeah, yeah. You said you deal with a lot of licenses. Do you try to contact people who made... Who split from those few meaningful and do you ask them to merge with them so that the number decreases? Yeah, we should. Actually, we have not the time to do that. We are quite busy in our team to review everything as it is. Asking for changes that are not really needed, yeah, would be a good thing to do. So, if you find something like that, you may want to contact the authors. Currently, we are a team of three. As soon as you're doing that work. So, yeah, the best option as I already mentioned is to use a license that already exists. Obviously, it may be complex to choose correctly. And yeah, there are some details that make it compatible, incompatible with other licenses. This is a topic on its own. It needs time to learn to read such a license. And I don't want to go into too many details. For example, one, just one example. Novel Legal says GPL version two is a good license. GPL version three is also a good license. But what Novel does not want is to have the clause or any later version. This could mean that at some point of time, a version four comes into existence, with completely yet unknown regulations in there. And we have no control on that. So, any Novel software should not automatically switch over to a license which we not yet know. So, this is why we currently say these two are good. But we only say that, one, yeah, the GPL license suggests exactly that text. You should say version two or any later version. But you can modify it because it's not really part of the license, the way how you declare the license. So, yeah. And this also only applies where we really have a choice of the license. Usually Novel is fine with you just adopt the license of the project for which you work. For example, if you work on a Mozilla-based project, then your license is obviously Mozilla license. We don't try to get the GPL into Mozilla license package. Don't do that. Accept the license as it is. That's the best thing. Yeah, there are a few more slides about the technical details. I'm not sure how much over time I'm allowed to use. So, I can run quickly through that one. If you have licenses and multiple licenses, that's where things get complex. It usually means that you have to look at the interaction of these licenses, how they interact with each other. And there's one concept called mere aggregation, which means there's a package sitting just next to another package and they don't interact with each other. They're just on the same media or installed on the same computer. In that case, different licenses with different terms are usually okay. But it gets more difficult when components link to each other. The FSF has a good phrase to explain what was meant by linked if it is executed in the same address space. This may involve shared linking, dynamic linking. This may also involve scripting languages. Address space is a bit spooky when it comes to scripting languages. But anyway, if you have components that work in the same address space or that are linked against each other, you have to check every statement in the license, check the other licenses, compare them, make a matrix, make a check, or say, uh-uh, this doesn't work. This gets really complex. And this is our day-to-day job at the SUSE to review these things. I don't want to go into a dual license or a remension that this gives the end user a choice to make it easier for such a compatibility matrix. For licenses, you also have to have your compliance with the license. What do you need to use, for example, your GPL? It's quite a long list. What do you have to do if you want to use a GPL? For example, you have to declare whenever you modify the code. You do not need to shout that out. But for us, we do it in the change log. And we have the patches there and have the original source. Anybody can compare what was the changes and a few other restrictions on top of that. Press space, yeah. Novel policy, yeah. I can almost skip that one. It means that developers should read the text for confidality notices. This includes restrictive notices like there's a patent mentioned in the source code in a comment. Hey, that's something you have to look for. If the patent is explicitly mentioned, then go to the legal department or come to my team and see is it a good thing to have that in there or not. So, yeah, we do some screening on ourselves. But being only a small team, we ask everybody and also our contributors on the build service to do some screening on their behalf. And if something is found that doesn't look right, just come to us if it makes sense to you. This is also a statement made by the Novel. Approve, seek approval if needed, not generally. And, yeah, it gets difficult. You cannot approach the legal department for any little notice you find. Is this a good one? Is this a bad one? So, we need to apply common sense here. And for that reason, our little team got established to handle almost everything that is in the SUSE distributions. Yeah, what we do with the Open SUSE, this is what I wanted to mention about Open SUSE policies. We have a list of licenses that we say are good. And this is exactly the list published by the OSI. And these are good. And we have exceptions to that list, of course, on a case-by-case basis. And the other important policy is that we do not review everything that is in the build service. So, there might be something that goes away suddenly in case we get noticed that there is, for example, a possible patent infringement. If you put your favorite MP3 player there and we think, oh, this person or we don't have a permission to publicly make available MP3 decoder, which is a patented software, then we better ask the maintainer of that to remove it. Or if he has a patent license, yeah, let's share. But usually, such a guy has not the patent license for that. Same thing. And this gets more complex. It's now, Henne mentioned that earlier, how we do submit requests into the build systems. Now, general concept, how we do legal review if such thing happens. It is what I want to show here is some two tracks going in parallel. While the production team, the packageer team, does packaging from that from factory until shipment in parallel, we fork our workflow and do a license review, a detailed license review and some final reporting so that we don't delay our production units too long. That's one of the general concepts I want to say here. We do it in multiple steps. The first part is fully automated. We have some scripts there to try to dig. They're not perfect, but try to dig some keywords and some catchphrases. Most time, GPL is mentioned, we find that. But in case of the other licenses here, it's not so easy to automatically find them. This is a first step and then we have a manual review where we iterate over the code from time to time. This is a slide. I just go to the second one where I want to compare the internal build service and the external build service. These two currently exist in parallel and most people only see this part of the world and not that part because this is internal to SUSE. From these, we do our commercial product range and from the other one we do the open SUSE product range. In both cases, we have a review team sitting in between. Hannah mentioned that earlier. This was the original auto build team and the team on my behalf. For the open SUSE build service, we have to define something new because it doesn't scale to always ask the maintainer. Actually, there's no legal review if just the maintainers decide what to do. We have to have some kind of re-report there. This is a bit of dreaming for future, how this could be in parallel or maybe it's even just one team across both. Perhaps we merge them somehow. That's ideas for the future. So what you might notice of our doings is sometime a bugzilla may appear on your desk and email from bugzilla saying you have a legal issue. In SUSE, we found something. Please help us resolve that or we directly write email. So this is where we ask for your cooperation or for your help to discuss the issues. We might think are serious or not so serious. In the initial stage, nobody knows if an issue is really a serious thing or just sloppy writing of something but the intent was good. So this is where we need to discuss or seek alternatives. In some cases, just we go to management. Somebody says, take it, not take it. Without any further legal advice, this also happens. That's not so good. So my final words for today is what I wanted to do with this little talk. Get some visibility, get in contact with people. And if possible to make our workload easier, share some of our infrastructure. We have been in contact with Fedora guys, Tom Keller, over there. Great. So I come to you afterwards. We talk a little bit and try to find a way how can we do not duplicate work but what we already did you should not repeat or need to repeat. Perhaps we can make some public forum like a mailing list or something where we can discuss. On the other end, I don't want to shout out in the public, hey, we found something wrong in our product. Please come and sue us, everybody. I don't want to do that. I know somebody who already did some blogs and said something like that. It's a bit scary. It may be good for Fedora but it's not so good for Novel. Yeah, that's basically it. My first step is taken today. Thank you for listening. Questions. Okay, so I have this very trivial program and as you told us, I should give him a license or a license. So what license do I choose? I don't want 25 kilobytes of GPL for 300 bytes of C code. If you write a trivial program, which is just a few hundred lines of code and you go through the novel policy, the novel policy says there should be GPL two or three. So include it. In that case, you're in lucky position that you're in German and not everything you create is automatically owned or automatically acquires the rights for that. So you can choose in your free time. In your free time, use your license what you want. Use a simple one. If you like that one, sure. Allow me to add to your answer that in order to just compile a program, you need a license. The act of compiling source code requires a license. So pick one. Yeah, so code that comes without a license is nothing anybody else could use. So, yeah, everything should have a license. It should be clearly stated. That's the basic message here. Okay, so if you have any further questions, I'm available outside. So to make room for the next talk, thank you for the patience.