Open Source in the Real World: Beyond the Rhetoric Maureen Dorney Partner, DLA Piper Kat McCabe Board of Advisors, Black Duck Software, Inc. Gemma Dreher Senior Counsel, BAE Systems
Introduction Widespread availability and use of open source software makes it important for corporate counsel to understand the issues and best practices Focus today on management of open source in: Development Procurement Due Diligence (M&A context from Buyer perspective)
Development Internal policies and procedures for internal use, external use and contributions mitigate risks Options for managing use of open source Committee (company vs. business unit) Pre-approval/disapproval of certain licenses Individual Educate developers and others on policies, procedures and risks
Development Require review/approval before check in Applicable license and source (e.g., website) Confirm that license meets internal policies Technical/legal personnel perform final code review before distribution Review code branches and developer comments Consider audit tools to scan and identify open source
Development Document use of source code Location Version Applicable License Obligations Ensure compliance with obligations
Procurement Commercial Open Source Procurement Eco-System Third Party Developers (includes offshore development) Enterprise Software Vendors (both upstream and downstream) ASP or SAS Providers (use but no distribution) OEM Relationships (many companies have inconsistent policies) VAR and ISV Models (present similar issues as those found in OEM relationships) Often Different Divisions of Technology Companies Deploy Conflicting Policies Complexities of Dual Source Models
Procurement Formulation of an Open Source Procurement Strategy An Open Source Procurement Strategy Should Parallel and be Compatible with Internal Development and Downstream Licensing Strategies: Your Channel Requirements Software Architecture Warranties and Indemnities Conformance of Licenses and Proprietary Rights Notices Implementation of Standard Software Solutions Consider Dual Source Options Where Appropriate The Same Open Source Policy and Approval Structure for Internal Development should Extend to Procurement Procurement Partners Can Have Very Different Open Source Strategies
Sample Procurement Clauses Prohibited Uses of the Source Code. Company will not make the Source Code of the Software available on a non-confidential basis. Company shall not combine or distribute the Source Code with any Publicly Available Software. As used in this Agreement, Publicly Available Software means each of: (i)any software that contains, or is derived in any manner (in whole or in part) from, any software that is distributed as free software, open source software (e.g., Linux) or similar licensing or distribution models; and (ii) any software that requires as a condition of use, modification and/or distribution of such software that other software distributed with such software (A) be disclosed or distributed in source code form; (B) be licensed for the purpose of making derivative works; or (C) be redistributable at no charge. Publicly Available Software includes, without limitation, software licensed or distributed under any of the following licenses or distribution models, or licenses or distribution models similar to any of the following: (i) GNU s General Public License (GPL) or Lesser/Library GPL (LGPL), (ii) The Artistic License (e.g., PERL), (iii) the Mozilla Public License, (iv) the Netscape Public License, (v) the Licensee Community Source License (SCSL), and (vi) the Licensee Industry Standards License (SISL).
Sample Procurement Clauses Licensor shall provide to Licensee in Exhibit A below: (a) a list of all Open Source Technology (including, but not limited to code licensed under the GPL or LGPL) incorporated into or combined with the Software, (b) a description of how the Open Source Technology is incorporated with or into, or interacts with, or will interact with, the Software or any technology that may be incorporated with the Software and/or Licensee products and (c) a copy of the license governing the use and distribution of the Open Source Technology. Licensor agrees to fully cooperate with Licensee to insure compliance by both parties with the terms of any license governing the use of any Open Source Technology in any Software delivered by Licensor to Licensee. Licensor shall comply with a request from Licensee to grant rights and immunities under Licensor s Intellectual Property rights to third parties as required to insure compliance with the terms of any license governing the use of any Open Source Technology in any Software delivered by Licensor to Licensee.
Sample Procurement Clauses Licensor grants to Licensee a non-exclusive, perpetual, irrevocable and worldwide license under Licensor s Intellectual Property Rights to, in any fashion Licensee may choose (including, but not limited to, community source and/or open source licensing, except any BSD license (i) reproduce, prepare Derivative Matter of, compile, publicly perform, publicly display, demonstrate, market, disclose and distribute the Software and modifications thereof in source code or object code form on any media or via any electronic or other method now known or later discovered; (ii) make, have made, use, sell, offer to sell, import and otherwise exploit the Software and modifications thereof in source code or object code form in any manner and on any media or via any electronic or other method now known or later discovered; and (iii) sublicense the foregoing rights to third parties through multiple tiers of sublicensees or other licensing mechanisms at Licensee s option.
Changes in Due Diligence Traditional technology due diligence Contract review Interviews with management Provides an incomplete picture New approach Need to address lack of information about downloaded code (open source and third party) Automated code review used to find downloaded code
Specific Buyer Concerns Code Provenance Code Provenance = Chain of Title Tens of thousands of developers worldwide contribute to open source Potential lack of attention to and understanding of IP rights Reputable source of code is key Well-known, well-run open source projects vs. less known software developers Buyer assessment of potential liabilities
Specific Buyer Concerns License Terms Need to identify and review open source license terms Has the target complied? Potential liability for breach of contract and infringement Is the buyer comfortable with the conditions and obligations going forward?
Specific Buyer Concerns License Terms The General Public License (GPL) exemplifies significant license conditions Developed by Richard Stallman GPLv2 first issued in the early 1990s; today, one of the world s most popular open source licenses GPLv3 issued in June, 2007; addresses new issues, e.g. patent and digital rights management (DRM)
Specific Buyer Concerns License Terms Copyleft/Reciprocity (under GPLv2 and GPLv3) Goal to achieve the opposite of copyright Condition of re-distribution is re-licensing under the GPL GPL provides broad user rights and access to source code Key issue: reciprocity typically conflicts with traditional licensing models
Specific Buyer Concerns License Terms Patent Provisions under GPLv3 Goal to address the threat of patents Broad patent license Patent retaliation provision Complex provisions to protect against third party patent licenses Key issue: patent provisions may have unwanted impact on the user s patent portfolio
Specific Buyer Concerns License Terms Anti-Digital Rights Management (under GPLv3) Goal to give users the right to modify code and redeploy it on the applicable consumer device Consumer device companies required to give installation information, along with broad rights and source code Key issue: consumer device manufacturers particularly concerned about GPLv3
Specific Buyer Concerns License Terms Broad Disclaimer of Warranties and Liability (under GPLv2 and GPLv3) Key issue: no operational or legal support
Code Analysis Practical Considerations Who will Perform the Analysis? Buyer Target concern of misuse/buyer concern of taint Target Buyer concern of incomplete analysis Third Party Resolves inherent tension Acts as a buffer between the parties
Code Analysis Practical Considerations Where? Target wants control of code; target offices are the preferred location Target needs to determine rules of engagement Target needs to manage employee expectations; e.g. with cover stories
Code Analysis Practical Considerations Legal Analysis of Results Assessment of code origins Many unknown sources or a few reputable ones? Review of license terms Permissive or onerous? Assessment of Target s compliance Evaluation potential copyright and contract claims Results can affect deal pace and terms
Open Source and M&A Summary Buyers are concerned about unknown open source code in the target s code base Buyers now require physical code assessments Unprepared targets risk problems in due diligence and disruption of the deal Prepared targets improve the deal process