Liu Xuening, open source lawyer of Huawei, attended the 2022 China International Software Development Conference and the Fifth China Software Industry Annual Conference Open Source Rainforest "Enterprise Open Source Compliance and Practice" forum and gave a keynote speech on "Enterprise Open Source Compliance System Construction". She said that there is no free lunch in the world. When an enterprise adopts an open source software, the first thing to pay attention to is the relevant copyright clauses of the open source license. After understanding the value and risks of open source software, according to the stage of the enterprise in the open source field, clarify its existing risks and carry out compliance construction.
Huawei Open Source Lawyer Liu Xuening
01 The value and risks of open source software
The open source pursued by the first batch of Internet creators is freedom and openness. Today, open source is defined as a commercial activity. Open source can replace self-research, thereby simplifying or omitting code writing, testing, version iteration and other work that consumes a lot of manpower, material resources and financial resources, greatly reducing R&D investment and costs, obtaining earlier product launch time, and earlier seizing the market share. At the same time, open source can promote technological innovation and build an ecological chain with customers and partners, thereby stimulating more technological innovation and forming a positive cycle.
When enterprises use open source software, they need to pay attention to fulfilling their open source obligations. Common open source obligations include placing a copyright statement, providing a description if there is any modification, open source after modification, and distributing with the original license after modification, etc. In addition to copyright, the code also involves the issue of patent rights.
Open Source License Copyright Regulations (Open Source Obligations)
A type of license represented by the GPL is a very strict type of mainstream license. The starting point of the GPL is to try to protect the rights of users to share and modify free software. In order to ensure that free software is free for its users, the GPL does not allow modified derivative codes to be released and sold as closed-source commercial software. Therefore, as long as a product under the GPL agreement is used in a piece of software, the software product must also be open source and free, which is the so-called "infection".
For the vast majority of enterprises, how to avoid infection as much as possible? The GPL agreement stipulates that independent programs that are not derived from the GPL program and can be reasonably regarded as separate from the GPL program may not be subject to the GPL agreement when distributed as independent works. How to distinguish between two independent programs, or two parts of a program? The official GNU FAQ considers this a legal proposition, which will ultimately be decided by a judge. The FAQ further states that if two programs communicate using interprocess communication mechanisms such as pipes, sockets, and command-line arguments, then they are generally considered to be two separate programs.
Open Source License Patent Provisions
From the perspective of code contributors, when they have patent rights for open source software, they need to pay attention to external license terms and non-litigation restrictions. For users, it is necessary to pay attention to the risk of infringement of third-party patentees. Failure to fulfill or improper fulfillment of open source obligations may lead to compliance disputes over open source software.
In recent years, domestic open source litigation has shown an increasing trend. Digital Paradise filed a lawsuit against Pomelo Company because it believed that the APICloud software released by Pomelo Company copied three plug-ins in its HBuilder software. Pomelo Company argued that the HBuilder software is an open-source software that should comply with the GPL agreement. For open source software under the GPL agreement, any third party has the right to directly follow the GPL agreement to use the source code and construct derivative software works without obtaining the permission of the copyright owner, which does not constitute copyright infringement. The case has been judged in two trials, and there is no reason to support the respondent's defense.
In the case of Digital Paradise v. Grapefruit Technology, the defendant used the GPL agreement to defend non-infringement, while Luohe v. Fengling was a lawsuit arising from the violation of the GPL agreement in the true sense. Cases punished. The defendant, Fengling, was sentenced to pay the plaintiff an economic loss of 500,000 yuan.
02 Risk and compliance construction ideas of enterprises at different stages
Enterprises can be divided into four stages in the field of open source. At present, most domestic enterprises are in stage two and stage three, and are developing towards stage four.
The follower stage (stage 2 and stage 3) mainly uses open source software developed by others, and rarely contributes code to the open source community. Even if the contribution is a small amount of fragmented contribution, it is difficult for non-core to enter the baseline code of the community, so Legal risk is mainly reflected in the risk of using open source software. Specifically include:
- The risk of copyright infringement resulting from non-compliance with open source software license obligations ;
- The risk of patent infringement caused by open source software infringing third-party patents ;
- The risk of patent free license/core software code open source caused by improper use of open source software ;
- Trademark infringement of products using open source software .
Elastic is a search engine company, and AWS has launched its own cloud service - Amzon Elasticsearch Service based on its open source search engine Elasticsearch. Elastic took AWS to court for trademark infringement because the word "Elasticsearch" in AWS products had the same name as its open source search engine, which caused confusion among customers.
The case was settled in February, and Amazon began removing the term "Elasticsearch" from the names of various pages on the site, as well as its services and related programs.
As a leader enterprise (stage 4), the biggest feature is that its community code contribution is very large, and the contributed code becomes the baseline code, has a huge user base, and takes the lead in establishing community rules. The main sources of risks it faces are:
- The influence of open source community strategy on existing copyright, patent licensing strategy and patent layout
- Does Contributing Code Infringe Others’ Copyrights—— IBM and SCO’s Long-distance Copyright Litigation Case, Oracle and Google’s Copyright War
- Whether the contributed code involves the company's core important patents - Broadcom's withdrawal from the OIC event
- Patent Litigation Issues Caused by Contributing Code Infringement of Patents of Others
- Antitrust issues and other legal responsibilities that may arise from community system design—— TruePosition VS. 3gpp, Qualcomm, Ericsson, Alan
- The risk of using open source software in the follower stage will continue to be faced
Compliance system construction
With the support of professional platforms and tools, and the participation and construction of a professional team, the construction of a compliance system is realized, and the legal compliance of open source for enterprises is escorted.
