Investigating Advances in the Acquisition of Secure Systems Based on Open Architecture, Open Source Software, and Software Product Lines

Naval Postgraduate School Acquisition Research Progra

Software Licenses in Context: The Challenge of Heterogeneously-Licensed Systems

The prevailing approach to free/open source software and licenses has been that each system is developed, distributed, and used under the terms of a single license. But it is increasingly common for information systems and other software to be composed with components from a variety of sources, and with a diversity of licenses. This may result in possible license conflicts and organizational liability for failure to fulfill license obligations. Research and practice to date have not kept up with this sea-change in software licensing arising from free/open source software development. System consumers and users consequently rely on ad hoc heuristics (or costly legal advice) to determine which license rights and obligations are in effect, often with less than optimal results; consulting services are offered to identify unknowing unauthorized use of licensed software in information systems; and researchers have shown how the choice of a (single) specific license for a product affects project success and system adoption. Legal scholars have examined how pairs of software licenses conflict but only in simple contexts. We present an approach for understanding and modeling software licenses, as well as for analyzing conflicts among groups of licenses in realistic system contexts, and for guiding the acquisition, integration, or development of systems with free/open source components in such an environment. This work is based on an empirical analysis of representative software licenses and of heterogeneously-licensed systems. Our approach provides guidance for achieving a “best-of-breed” component strategy while obtaining desired license rights in exchange for acceptable obligations

Avoimen lähdekoodin lisenssien ominaisuuksien vaikutukset ohjelmistoarkkitehtuuriin

Open source licenses enable software developers to co-operate with unknown developers to modify and redistribute software without direct fnancial costs to themselves. Detecting the actual licenses and copyright holders of open source components can be difficult and open source licenses can conflict with each other and can make profiting from open source difficult. Current license compliance methods do not take into account all open source license properties. Some developers are afraid to use open source, because they do not understand open source license properties or license management methods. In the OSSLI project current understanding of the different effects of open source license properties on software engineering was gathered by a systematic literature review. This thesis uses the results of the literature review, ontologies and general system theory to construct a framework to show how the properties of open source licenses affect software architecture. This OSSLI framework consists of the abstract legal system, procedural legal system, software architecture system, software engineering system, business system and social system. This thesis uses the OSSLI framework to evaluate current methods and tools to manage open source license issues and shows how the OSSLI framework was used in the research project to design a new tool to manage open source license compliance through software architecture. The OSSLI framework showed its utility in understanding the effects of open source license properties.Avoimen lähdekoodin lisenssien avulla ohjelmistokehittäjät voivat yhteistyössä toisilleen tuntemattomien kehittäjien kanssa jatkokehittää ja levittää ohjelmistoja maksamatta erillistä rahallista korvausta. Avoimen lähdekoodin lisenssit voivat kuitenkin olla vaikeaselkoisia ja haitata ohjelmiston hyödyntämistä kaupallisesti sekä eri lisenssien ominaisuudet voivat olla ristiriidassa keskenään. Nykyiset lisenssien hallintamenetelmät eivät ota huomioon kaikkia avoimen lähdekoodin lisenssien ominaisuuksia ja komponenttien todellisen tekijänoikeuksien varmistaminen voi olla vaikeaa. Kaikki ohjelmistokehittäjät eivät uskalla käyttää avointa lähdekoodia, koska eivät ymmärrä avoimen lähdekoodin lisenssien ominaisuuksia tai niiden hallintamenetelmiä. OSSLI-tukimusprojektissa kerättiin systemaattisen kirjallisuuskatsauksen avulla tietoa tieteellisen tutkimuksen nykyisestä käsityksestä avoimen lähdekoodin lisenssien vaikutuksista ohjelmistotuotantoon. Tämä diplomityö muodostaa kirjallisuuskatsauksen löydösten, ontologioiden ja yleisen systeemisteorian avulla kehyksen, jolla hahmotetaan avoimen lähdekoodin lisenssien ominaisuuksien vaikutuksista ohjelmistoarkkiehtuuriin. Tämä OSSLI-kehys rakentuu abstraktista ja sovelletusta laista, ohjelmistoarkkiehtuurista, ohjelmistokehityksestä, liiketoiminnasta ja sosiaalisesta verkostosta sekä huomioi myös lisenssien ominaisuudet. Diplomityössä arvioidaan OSSLI-kehyksen avulla avoimien lähdekoodien lisenssien riskien hallintaan käytettyjen työkaluja ja menetelmiä sekä kuvataan miten tutkimusprojektissa kehystä käytettiin uuden ohjelmistoarkkitehtuuritason lisenssienhallintatyökalun kehittämiseen. OSSLI-kehys osoitti hyödyllisyytensä avoimen lähdekoodin lisenssien ominaisuuksien vaikutusten ymmärtämiseen

Source Code and License Statement Co-Evolution

RESUME Les logiciels libres reposent largement sur la éutilisation de composants logiciels disponibles sous une variété de licences (e.g., Apache, BSD, GPL, ou LGPL). Différentes licences imposent des limitations et des conditions différentes sur la réutilisation d’un programme et sa redistribution ce qui rend difficile la compréhension des contraintes juridiques imposées au système final. La licence d’un fichier est spécifié par une déclaration de licence. Les déclarations de licence sont des extraits de texte insérées en haut du code source ou de tout autre fichier qui spécifie la licence sous laquelle le fichier peut être réutilisé, ainsi que les contributeurs qui possèdent des droits d’auteur sur le fichier. Les déclarations de licence ne sont pas un concept statique car les projets peuvent mettre à jour leur licences (version ou type) ou ajouter des contributeurs. Comme ces changements peuvent avoir un impact majeur sur un système en terme de sa distribution et son utilisation, (1) il est important de comprendre quand ils se produisent au cours du développement relativement à l’évolution du système (le changement des licences peut être pendant d’importantes modifications ou indépendamment de l’évolution des modifications du système), (2) combien de fois ils se produisent (rare vs. récurants), et (3) qui les effectue (experts vs. développeurs réguliers). D’abord, nous proposons, un métamodèle pour effectuer des analyses qui permettent la détection des problèmes de licence et ce meta-modèle présente aussi une source d’information structurée qui peut être utilisé dans les études reliées aux licences. Ensuite, nous présentons une étude sur la co-évolution des déclarations de licence et le code source dans sept systèmes OSS : JFreeChart, Jitsi, PHP, Rhino, Tomcat, XalanJ et XercesJ. Notre étude montre que ce n’est que dans quelques cas, dans PHP, que les évolutions des déclarations de licences et celle du logiciel sont soigneusement planifiées et gérées ensemble juste avant les versions majeures. Dans tous les systèmes, les développeurs qui effectuent plus de changement de code source, sont aussi les plus actifs mainteneurs de licence. Notre travail permet de comprendre quand les déclarations de licence sont changées et permet d’identifier les développeurs qui effectuent ces changements. De ce point de vue, notre travail est un travail préliminaire afin de mieux contrôler l’impact de ces changements sur le système, i.e., éviter l’introduction des inconsistences en proposant une méthodologie pour la gestion des changements de licences des règles de vérification des termes de license en se basant sur notre metamodèle.----------ABSTRACT Open-source software (OSS) systems heavily rely on the reuse of software components made available under a variety of software licenses (e.g., Apache, BSD, GPL, or LGPL). Different licenses impose different limitations and conditions on program reuse and redistribution, thus making it difficult to understand the legal constraints for the final system. The file license is specified using a license statement. License statements are snippets of text near the top of a source code or other file that specify the software license under which the file can be used as well as which contributors own copyrights over the file. Such license statements are not static because, projects might update the licenses (version or type) or add contributors. Such changes can have a major impact on a software system, so it is important to understand when they happen during development (with major source code changes vs. independently), how often they happen (rare vs. recurring), and who performs them (experts vs. regular developers). In this thesis, we first propose a meta-model based on previous work and on information gathered from license statements and text. We use the meta-model to find which data must be analysed to study license evolution. Then, we perform a study on the co-evolution of license statements and source code in seven OSS systems: JFreeChart, Jitsi, PHP, Rhino, Tomcat, XalanJ, and XercesJ. Only in a few cases in PHP, license statement and software evolution are carefully planned and managed together just before major releases. In all systems, the developers performing most of the commits, are also the most active license maintainers. Thus, we are able to understand when license statements are changed and we identified the developers that perform these changes. We consider our finding to be preliminary work to permit better control the impact of license change on the system (avoiding the risk of introducing inconsistencies) verifying license changes, using rules based on our meta-model. Indeed, we show that our meta-model could help analyse to detect license issues in studies related to licenses

Intellectual Property Rights Requirements for Heterogeneously-Licensed Systems

Heterogeneously-licensed systems pose new challenges to analysts and system architects. Appropriate intellectual property rights must be available for the installed system, but without unnecessarily restricting other requirements, the system architecture, and the choice of components both initially and as it evolves. Such systems are increasingly common and important in e-business, game development, and other domains. Our semantic parameterization analysis of open-source licenses confirms that while most licenses present few roadblocks, reciprocal licenses such as the GNU General Public License produce knotty constraints that cannot be effectively managed without analysis of the system’s license architecture. Our automated tool supports intellectual property requirements management and license architecture evolution. We validate our approach on an existing heterogeneously-licensed system. 1