# Software Licenses and The Business Models that Love Them --- by Jesse Clark University of Technology Sydney Copyright © 2019 <!-- .element: class="fragment fade-up" --> <p><a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0; margin: 0;" width="176" height="62" src="cc-by-4.0-88x31.png" /></a><br />This work is licensed under a <br><a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.</p> <!-- .element: class="fragment fade-up" --> [`reveal.js`](https://revealjs.com/) is licensed under the [MIT License](https://github.com/hakimel/reveal.js/blob/master/LICENSE) <!-- .element: class="fragment fade-up" --> [`highlight.js`](https://highlightjs.org/) is licensed under the [BSD 3-Clause License](https://github.com/highlightjs/highlight.js) <!-- .element: class="fragment fade-up" --> [`marked.js`](https://marked.js.org/) is licensed under the [MIT License](https://github.com/markedjs/marked/blob/master/LICENSE.md) [Markdown](https://daringfireball.net/projects/markdown/) is licensed under [a BSD-style license](https://daringfireball.net/projects/markdown/license.text) <!-- .element: class="fragment fade-up" --> <a href="https://fonts.adobe.com/fonts/league-gothic"><span style="font-family:League Gothic">League Gothic Font</span></a> is licensed under the [SIL Open Font License](http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL) <a href="https://fonts.google.com/specimen/Lato"><span style="font-family:Lato">Lato Font</span></a> is licensed under the [SIL Open Font License web version](https://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL_web) <!-- .element: class="fragment fade-up" --> Note: This presentation is software. Example of creative commons license being used: https://www.flickr.com/photos/myhf/968395545
Risks
What are the risks of being in the software business? --- > “Many of the classic problems of developing software products derive from this essential complexity and its nonlinear increases with size. From the complexity comes the difficulty of communication among team members, which leads to **product flaws, cost overruns, schedule delays**. From the complexity comes the difficulty of enumerating, much less understanding, all the possible states of the program, and from that comes the **unreliability**. From complexity of function comes the difficulty of invoking function, which makes programs hard to use. From complexity of structure comes the **difficulty of extending programs** to new functions without creating side effects. From complexity of structure come the unvisualized states that constitute **security trapdoors**.” > > — [No Silver Bullet](http://www.cs.nott.ac.uk/~pszcah/G51ISS/Documents/NoSilverBullet.html), by Fred Brooks (1986) --- Software could kill someone - [Therac-25](https://en.wikipedia.org/wiki/Therac-25) (1985–1987) - [Sudden unintended acceleration](https://en.wikipedia.org/wiki/Sudden_unintended_acceleration) (1987–) - [List of self-driving car fatalities](https://en.wikipedia.org/wiki/List_of_self-driving_car_fatalities) (2016–) --- Software could destroy equipment, or money, or customers’ data - [The Explosion of the Ariane 5](http://www-users.math.umn.edu/~arnold/disasters/ariane.html) (1996) - [EVE Online Update Bug](https://www.eveonline.com/article/about-the-boot.ini-issue) (2007) ```bash Delete "$INSTDIR\boot.ini" ``` - [Knight Capital Says Trading Glitch Cost It $440 Million](https://dealbook.nytimes.com/2012/08/02/knight-capital-says-trading-mishap-cost-it-440-million/) (2012) - [Steam Update Bug](https://drj11.wordpress.com/2015/01/20/steaming/) (2015) ```bash rm -rf "$STEAMROOT/"* ``` - [A Software Update Bricked Nike's $350 Self-Tying Shoes](https://www.popularmechanics.com/technology/apps/a26474770/nike-adapt-bb-shoe/) (2019) - [Citibank overpaid creditors by $500 million](https://arstechnica.com/tech-policy/2021/02/citibank-just-got-a-500-million-lesson-in-the-importance-of-ui-design/) (2020) --- Software could allow an intruder to access our systems - [Morris Worm](http://groups.csail.mit.edu/mac/classes/6.805/articles/morris-worm.html) (1988) - [Medtronic cardiac implant](https://en.wikipedia.org/wiki/Medtronic#Technology_safety) (2008–2011) - [Heartbleed](http://heartbleed.com/) (2014) - [iOS SSL Bug](https://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/) (2014) ```c if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; ``` <!-- .element: style="width: 100%" --> - [Node.js `event-stream` hack](https://www.eweek.com/security/node.js-event-stream-hack-exposes-supply-chain-security-risks) (2018) - [Zoom video conferencing](https://www.schneier.com/blog/archives/2019/07/zoom_vulnerabil.html) (2019) --- Software could do something forbiddden by law - [4-line RSA algorithm restricted by munitions export law](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States) (1975–1997) - [Bernstein v. United States](https://cr.yp.to/export.html) (1996) - [`09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0`](https://knowyourmeme.com/memes/09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0) (2007) - [Volkswagen emissions scandal](https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal) (2008–2015) - [List of GDPR Fines](https://alpin.io/blog/gdpr-fines-list/) (2018–) - Patent infringement --- Software could give incorrect analysis of strategic data - [Nimbus-7 and Stratospheric Ozone](https://earthobservatory.nasa.gov/features/RemoteSensingAtmosphere/remote_sensing5.php) (1978–1985) - [Xerox character substitution](http://www.dkriesel.com/en/blog/2013/0802_xerox-workcentres_are_switching_written_numbers_when_scanning) (2005–2013) - [Software bug in Bombardier airliner made planes turn the wrong way](https://www.theregister.co.uk/2020/05/29/bombardier_missed_approach_bug/) (2017) - [Samsung "Space Zoom"](https://old.reddit.com/r/Android/comments/11nzrb0/samsung_space_zoom_moon_shots_are_fake_and_here/) <!-- .element: style="margin-bottom: 1em;" --> > “On two occasions I have been asked, — ‘Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?’ … > I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.” > > — [Passages from the Life of a Philosopher](https://en.wikisource.org/wiki/Passages_from_the_Life_of_a_Philosopher/Chapter_V), by Charles Babbage (1864) --- Software production could run over budget without producing usable results - [List of failed and overbudget custom software projects](https://en.wikipedia.org/wiki/List_of_failed_and_overbudget_custom_software_projects) (1982–) <!-- .element: style="margin-bottom: 1em;" --> > “No amount of automation will have any significant > effect on the size or efficiency of a bureaucracy.” > > — [Why it is Important that Software Projects Fail](http://www.berglas.org/Articles/ImportantThatSoftwareFails/ImportantThatSoftwareFails.html), > by Anthony Berglas (2008) --- other software disasters - [Special Delivery](https://thedailywtf.com/articles/Special-Delivery) (2009) - [A coding error caused Rogers outage that left millions without phone service](http://web.archive.org/web/20220901211829/https://www.theglobeandmail.com/business/article-how-a-coding-error-caused-rogers-outage-that-left-millions-without/) (2022) - [RFC 9225: Software Defects Considered Harmful](https://www.rfc-editor.org/rfc/rfc9225.html) (1 April 2022) --- Unpleasant software could cause poor customer retention - examples from the audience, please
Liabilities
If we **publish** software that later causes damages, are we liable for those damages? If we **use** third-party software that causes damages, are we liable for those damages? --- Did the software include a warranty? Does the law specify an [implied warranty](https://en.wikipedia.org/wiki/Implied_warranty) of merchantability or fitness for a particular purpose? <!-- .element: class="fragment" --> --- Does the implied warranty depend on the price? > Australian businesses must guarantee products and services they sell, hire or lease for: > > - under $40,000 > - over $40,000 that are normally bought for personal or household use. > > — [Australian Competition and Consumer Act](https://www.accc.gov.au/consumers/consumer-rights-guarantees/consumer-guarantees) (2010) --- To use software, we have to copy it to our machines. Do we have the rights to make that copy? How can we prove that?
Software Licenses
Note: This page intentionally left blank. --- The main risk we face when we choose to use some software is that we may not have the right to use it. > The author of a written or recorded work automatically receives the rights to control copying that work. > > (In the case of a “work-for-hire” prepared by an employee within the scope of their employment, the employer is considered the author.) > > — [Berne Convention](https://en.wikipedia.org/wiki/Berne_Convention) (1886), > [World Intellectual Property Organization Copyright Treaty](https://en.wikipedia.org/wiki/WIPO_Copyright_Treaty) (1996) --- Even if we have the rights to copy some software, we may not have the rights to run it, because it implements a patented algorithm. Algorithms that are allowed for use in a university research lab may not be allowed for use in a commercial business. - [GIF](https://patents.google.com/patent/US4558302): US Patent 4558302B1 (1994-2011) - [Scale-Invariant Feature Transform](https://patents.google.com/patent/US6711293): US Patent 6711293B1 (2004–2020) --- Infringing on intellectual property could get us sued, and cancel all the value we are trying to create. Therefore, a self-interested business should always make sure they have the rights to use software. These rights are provided in the form of a software license. Notes: That concludes the licenses we need to consume. What about the licenses we need to produce?
Types of Software Licenses
> “Each item of work being done on the project is to manage a particular risk.” > > — [Risk-First Software Development](https://riskfirst.org/Quick-Summary), by Rob Moffat (2019) --- ### Public Domain | **Risk** | none perceived | |------|------| | **Strategy** | just publish | | **License** | Public Domain, [WTFPL](https://spdx.org/licenses/WTFPL.html), [CC0](https://spdx.org/licenses/CC0-1.0.html) | | **Business Model** | sell separate warranties, charge for enhancements, patron-funded work | | **Example** | Spacewar!, qmail, SQLite | > “The three chief virtues of a programmer are: > Laziness, Impatience, and Hubris.” > > — [Programming Perl](http://wiki.c2.com/?LazinessImpatienceHubris), by Larry Wall (1991) --- ### Proprietary | **Risk** | If our hardware has no drivers, customers will not be able to use it. | |------|------| | **Strategy** | Include closed-source drivers with hardware | | **License** | Closed source, warranty void upon tampering | | **Business Model** | Hardware vendor | | **Example** | nvidia | | **Weakness** | No way for customer to maintain software they depend on. Robot kernels are always out-of-date. | --- ### Proprietary | **Risk** | If customers do not directly pay for the software, we will not make any money. | |------|------| | **Strategy** | Pay per seat, with license keys or other DRM | | **License** | Source code may be available. | | **Business Model** | Enterprise software vendor | | **Example** | Unreal Engine, Aseprite | --- ### Proprietary | **Risk** | If customers could read the source code, they could find a way to avoid paying (or otherwise damage us). | |------|------| | **Strategy** | Pay per seat, with license keys or other DRM | | **License** | Closed source, 35-page End User License Agreement | | **Business Model** | Consumer software vendor | | **Example** | Mathematica, Adobe, typical PC video games | --- ### Proprietary | **Risk** | If customers understand how much our software costs, they will buy less of it. | |------|------| | **Strategy** | Free download, no license keys | | **License** | Closed source | | **Business Model** | Enterprise software vendor, with software license auditing (racketeering) | | **Example** | Oracle | --- ### Copyleft | **Risk** | The software could become impossible to maintain. The software industry could remain in the proprietary mode forever. | |------|------| | **Strategy** | Create the first free option, spread OSS virally. | | **License** | General Public License ([GPL](https://spdx.org/licenses/GPL-1.0-or-later.html), [LGPL](https://spdx.org/licenses/LGPL-2.0-or-later.html), [AGPL](https://spdx.org/licenses/AGPL-1.0-or-later.html)) | | **Business Model** | Consulting. Enable large systems which create programming jobs. | | **Example** | Linux kernel, bash, Perl, Python, nmap, Git, MySQL, VLC, Audacity, Blender | --- ### Permissive | **Risk** | We could be liable for damages caused by the software. | |------|------| | **Strategy** | Include an "as-is" disclaimer. | | **License** | [MIT License](https://spdx.org/licenses/MIT.html) | | **Business Model** | Contracting. Build systems whose components can be maintained by the community. | | **Example** | X11, GitLab, PuTTy, curl, Ruby on Rails, Node.js, Lua, Rust, Julia, Nim, Netlify CMS, NewsBlur | > “Smart companies try to commoditize their products’ complements.” > > — [Joel Spolsky](https://www.joelonsoftware.com/2002/06/12/strategy-letter-v/) (2012) --- ### Permissive | **Risk** | We could be defamed by association with some user of the software. | |------|------| | **Strategy** | Include a non-endorsement disclaimer. | | **License** | [BSD License](https://spdx.org/licenses/BSD-3-Clause.html) | | **Business Model** | Build large interoperable systems. Rough consensus and working code. | | **Example** | BSD, CMake, CMU Sphinx, Dart, Go, Nginx | --- ### Permissive | **Risk** | The software could produce incorrect results when used to make decisions about a nuclear facility. | |------|------| | **Strategy** | Include a no-nuke clause. | | **License** | [BSD no-nuke variant](https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-Warranty.html) | | **Business Model** | | | **Example** | | --- ### Permissive | **Risk** | Potential users and maintainers could ignore the software for fear of infringing our patents. | |------|------| | **Strategy** | Include a patent grant. | | **License** | [Apache License](https://spdx.org/licenses/Apache-2.0.html) | | **Business Model** | Enable large systems, which can still be sold commercially. | | **Example** | Hadoop, Lucene, TensorFlow | | **Counterexample** | React | --- ### Mixed Licenses - [Multi-Licensing](https://en.wikipedia.org/wiki/Multi-licensing) - Perl, nginx, SQLite - Plug-in architecture - [Can plugins for closed source software use GPL'd libraries?](https://opensource.stackexchange.com/a/1481) - [ROS2: nonfree plugins](https://index.ros.org/doc/ros2/Installation/Install-Connext-Security-Plugins/)
> “The continued adaptation, modification, and correction of errors in [programs] is essentially dependent on a certain kind of knowledge possessed by a group of programmers who are closely and continuously connected with them.” > > — [Programming as Theory Building](http://pages.cs.wisc.edu/~remzi/Naur.pdf), by Peter Naur (1985) Notes: - https://blog.codinghorror.com/pick-a-license-any-license/ - [Business models for open-source software](https://en.wikipedia.org/wiki/Business_models_for_open-source_software)