So let's start. This is a talk about a not-so-technical topic. This is about legal aspects, mostly focusing on licensing and our daily due diligence jobs. Myself, I'm Jurgen Walgert. I'm a member of the tools team and also of the SUSE legal review team,

which is not an official team. It never was formed to be there. It just happened to be me and two, one internal and one external attorneys that consult with us to resolve some things. First of all, I'll give you a short overview of what I will talk about.

I'll have it in a few sections. To begin with, I'll present the basic concepts that we talk about. This is patents, trademarks, copyright issues, and for all of these, the respective licenses, to know what can be done. Then a little bit more insight in the details of some licenses that I chose to present here.

Maybe some fun in there or not. And then I have to talk a little bit about Novell, what's our background here and why we all have to care about licensing. In a perfect world, yeah, we just would use free software as it is and distribute something.

But Novell is a big company and they have to be prepared for some other attorneys coming their way and asking about things. And finally, I'll give you a short tour. It's very superficial only, a short tour about how we do our review work.

And we'll ask you for your participation wherever we want to get involved with the community. First of all, there's one catchphrase that tries to sum up all the different aspects of, yeah, the catchphrase is intellectual property, which is more or less an illusion, a seductive mirage, says Richard Stallman.

It does not really help to sum that up in one word. So I would like to give you here some, yeah, plain English definitions, what these different aspects mean. This comes directly from our head vice president of legal, corporate Novell.

He was so friendly to use understandable words and not the usual legal speak for that. So a patent tries to cover new, useful and non-obvious inventions. It tries to cover the idea behind such an invention, not a specific way to write it down.

This is what a copyright is all about. A copyright tries to cover the text, the textual representation or the implementation, how such an idea is then expressed or written down. And yeah, it's only relevant for big companies probably.

It's not relevant at all for our behalf. There are trade secrets, things that a company doesn't want to share. So yeah, I'll use that as an excuse from time to time not to talk with you because we have some trade secrets. And these need to be confidential because that's part of what Novell pays us to build something that is worth some money

so that we get paid for that. And I respect that too. And the last thing, and this is some good point to start with, is trademarks. Trademarks are everywhere. If you look at my t-shirt, there's a little green animal here.

And this color green also has some information that tells you this is Susie here. And there's, where is it, Novell, the word down there. There's also some information. So a trademark is a word or a symbol that identifies and distinguishes some goods, be they material or just software,

some goods or services from their competitors and from other similar goods or services. That's a slide. I show that to you. It's a bit scary. Here again from our corporate legal person, he says, these things give you basic rights.

And then he says, what these things also define are the remedies, which is the damages and injunctions that may happen. So that's typical for a lawyer person to use some strange word.

Actually, he's talking about rights, but he explains what a right is. A right prevents something. That's a bit scary. A right should not prevent something. What is meant that you have the right to say that others should not do this or that? That's what copyright is all about, you know. I have the copyright on my own software, so I can say, don't use it.

It's mine. And actually copyright is more, it defaults to, it's mine, and I have to give you a permission to use that. So that's what he means by that. So beware of the way lawyers speak. They try to use words or they try to use strange words that you don't know. So, yeah, they have their own language and a bit encoded.

That's also where my team comes into the image. We translate or try to translate into understandable or more understandable English. Now, I promised to start with trademarks. Here's a little collection of trademarks. Yeah, my legal counsel, especially my German legal counsel, was a bit scared when I

told him I will show this to some public audience and have it taped and recorded. Because some of these trademarks, well, they should not appear. It says examples found in open source software. But some of them really should not appear in open source software. For example, what has little Scooby Doo, which is from Warner Brothers and is a trademark, what has that to do in a software package?

Probably nothing. And much more is a problem. Pikachu or that little guy from Procter & Gamble, Mr. Clean. These were found at a certain time in the past in software packages.

Some of them can stay around. Some of them are really okay. For example, the Firefox logo. We have an agreement with the Mozilla Foundation to use the Firefox logo on a SUSE product. So that's okay. They approve that. And some others are just historic things, like we have a Sun Microsystem Star Division logos.

And yeah, you guess what software that was? Probably OpenOffice. I won't go into the details for the others. And from time to time we find little things like that, which is just a few pixels. But the colors, there. They give a hint that a Windows logo is meant by that.

So yeah, you cannot avoid trademarks. The Windows logo is a trademark of Microsoft, of course, but you cannot avoid these things. So from time to time it's okay to use them. The trick is, each company has a very specific way to define or has guidelines how these trademarks can be used.

And the trick is, a trademark gets diluted. It gets watered down. It gets useless over time if it is not properly defended. A current in-house example is what we did with the OpenSUSE community.org website. We asked them to make the website not green and not feature a SUSE logo, but make it blue and make some other adjustments.

Just to be on the safe side that our in-house novel council don't say, hey, we have a trademark on this. We have to sue these guys.

Now, recently, Sonke, correct me if I'm wrong with that, we started on our new trademark guidelines. And I assume we are pretty safe that if these guys want to come back and want to use the SUSE trademark on their website, I guess we can possibly approve that. This should be part of our trademark policy, right?

I can hand you the microphone. So the policy in draft form right now, I think they would be able to use it.

We are still going back and forth and trying. What we really want to get to is a policy where existing community projects, things like OpenSUSE community.org, the OpenSUSE live CD, the KDE 3.5 live CD and things like that, we want to get to a policy where those, the way they are using the trademark now is considered okay.

But we also need to make sure that we're not getting too broad a permission. So I just sent, well, we've just had a discussion on a draft and should be very close to finishing the first draft. And this should be seen as an evolving document, too. This isn't going to be, when we put it out, it's not going to be finished completely.

So our intention is not to shoo away people who are on our side who are helpful to our projects. We just had to do that in the first step to be legally on the safe side and then we make our guidelines and invite them in to join as far as possible. Right, because the other thing is there's been a lot of confusion so far.

And so the other thing, and we will give exemptions on occasion. Yeah, that's the good news. Okay, thank you. So the next topic I'd like to talk about is licenses and show you a few aspects what kind of licenses we have. The usual thing you see in a file, in any source code file, is it starts with a copyright notice,

which is by itself not a license. It is, yeah, what does it tell us? It tells us there are some people involved or some entities involved. This is my email address. It's not even a proper name, but it happens that you find just an email address there. And novel ink means probably, yeah, one of these two or both are copyright holders.

And then it says all rights reserved. So you know, okay, these two, they own all the rights in that software. So this is definitely not enough for using such software in an open source project. You need to have permissions. And as I already said, as soon as the copyright is here, the default is,

even if it is not stated explicitly here, the default is that, yeah, non-free. You have to ask these individuals or entities listed in the copyright header what can be done. And the best approach is that the copyright owner needs to declare what exactly he wants us to do with his software.

For that, we have a few possibilities how this could be done. I just browse quickly over, I guess this is fairly common knowledge how this could happen. The first thing is he can try to, or actually do, disclaim his copyright on his software,

which means it becomes public domain. And the other options is, of course, draft a license for that and explicitly tell, or simply adopt an existing license, like GPL or BSD licenses. So for the first one, one simple example, and not so simple example, because, yeah, copyright law does not apply universally all around the world.

For example, in Germany we don't have such a concept as copyright in a strict sense. We have Our Heberrecht, which is a bit a similar concept. So if I say my name here, and I'm German, I, Jurgen Weigert, the creator of this work,

hereby release this work into the public domain. I say that and stop here. It may have actually no effect, because either the concept copyright just does not apply and nothing happens, or a lawyer would say, yeah, he tried to, but he cannot release that. Even if he do it in an indirect sense, what could he have meant,

being a German, he has no copyright, he has this Our Heberrecht, what could he have meant, he could try to get rid of all these rights, but this is not possible in Germany. It happens a few years after I die automatically, but not when I say so. So, that's different. So, the best thing I can do is, I say, I want, in the case that this is not legally possible,

to get as close as possible, unless some conditions are required by law. I try to get rid of any right that I have, and try to express that I mean exactly what in other countries public domain would be. So, a simple concept, but still not that easy due to local law.

The other option is, yeah, draft an own license. And the simple answer is, don't do it, please. It's not easy to draft a license. Today, licenses tend to get longer and longer and longer and more complex.

If I compare GPL version 2 and GPL version 3, it's a horror to read these things and to really understand them. So, yeah, novel has some involvement there too, and some of the conditions are really tricky to read and understand. So, basically it's a compromise from what we wanted, what others wanted.

A lot of people tried to mess around with that license, and finally something came there. But yeah, for an individual software developer, don't even try that. Same as if you take a license that already exists, like GPL is a very good example for that too,

and try to add something to the GPL, a further restriction or something, then you should not do that. Sankar, do you still have that microphone? No, nor do I. A list of preferred licenses.

Yes, novel has a list of preferred licenses. There are a few on the internal website, in the web of novel. But as far as I know, we don't have anything up there on the OpenSUSE build service. Maybe the OpenSUSE policy includes some preferred licenses.

I'll talk about the policy in a minute. But it's not a direct list of preferred, not so good and disallowed licenses. It gets as close as possible. Yeah, so the message here is choose from the existing license pool. Don't draft your own. The Free Software Foundation has a range of licenses. The OSE, the Creative Commons website lists them.

Choose from these. And to give you just an impression of what happens, we already have 500 different licenses in our database and have to deal with them on a day-to-day basis. Please don't try to add any more to that. These are derivatives of, yeah, let's say roughly 550 licenses

that are really distinct licenses, and then some modifications to make this total number, which is a bit scary. Okay, here's an example of an existing license, one of my favorites because it's so short and so distinct. Pool handing comp says, do whatever you want,

and if you like that thing, that stuff, you can buy me a beer. That's a nice license. So, yeah, it's very close to the public domain thing. But, yeah, what do you think? Is this a sufficient license? Is that good? Difficult to say. Yeah, at least the free software for Deutschen says it's a valid license.

May not be really a good choice for some things. For example, it's not really clear. He says, if we meet someday and you think this stuff is worth it, I know a lot of software from which I definitely think it's worth it to buy someone a beer. So if this is all true, I think that, and I meet this pool handing camp,

is that an obligation for me to buy him a beer? I mean, it's inside his license text. So what is inside his license text? You can buy me. But this is can and please and may is nothing that has a legal concept.

No, the other way around. If it's mentioned here, it means you should buy me a beer. Lawyers are not that into the English language. They try to make the strongest claim of anything that is written there, even if it's had some vague language. They try to be on that, uh-huh, does that mean one should

or even one must imply all these conditions? So this is a bit scary. Actually, the case was brought up by one of our downstreams. I guess it was IBM in the past when they said, we don't want to buy someone a beer just in case he shows up.

And what is that concept? We are a company, we are not a person. Should a company buy a beer for someone? Strange concept. So, yeah, they could. It would have been really cool if they... Yeah, if they just... ... come over and we'll give you a beer. Yeah, that would be a cool manager saying, if you ever show up here, we invite you to a beer.

But the lawyer at IBM there was not that cool, and he said, oh, dangerous. Whenever he shows up, you need to, hey, he shows up ten times a day or whatnot. Rather not. So the other problem is this license is incomplete. There are some very substantial things lacking on that license.

Because he grants some rights, but he tries not to protect himself. There are some countries where you can put your cat in the microwave oven and then sue the vendor of the microwave oven for some problems with your cat afterwards. So if that should happen with software from Pull Henning Camp,

say he writes the control software for the microwave, yeah, do whatever you want with that stuff. I mean, I grilled my cat. Now it has troubles. One could try to sue, whatever you want. It includes suing himself. So it's a bit scary. So there's another license for the fun part of it

that I want to show you too. It's actually used in a library called libcaca. Not libaa, but libcaca. It has this strange icon, a heap of something. I don't want to read this license to you

because there are spare words in them. And also one of our downstream company partners said, we can never accept such a license with such rude words in that because this will be part of the official documentation of our software, right? And official documents of our company never include this or this or this, these words. So they had a problem with this license

and asked us to change the license. So what we did, we didn't even ask upstream. Yes, there's his name somewhere. Sam, what's his name? Sam Hockevar. We didn't even ask him. We just applied the license that, hey, you just do what you want. Yeah, so let's change the license.

That's easy. This license explicitly allows me to distribute verb attempt or modified copies of the license text. That's great. So what we just did, we deleted a few words and said, uh-huh, we received that from upstream and downstream. We give that under a modified license. And we asked him afterwards and, yeah, he says,

yeah, that's perfect. Do that. So that's the way to work with licenses. Usually it's not that easy as that, but talk with the upstreams, talk with the downstreams, and get something solved. Now, in addition to that license here, which is a bit on the funny side, he did something very clever down that paragraph.

I don't know if you can read that. The most important sentence is this software is free software. This program is free software. It comes without any warranty to the extent permitted by applicable law. So that's the most important thing in that license. Have your warranty disclaimer down there so that in case local law gives you a choice to say no, no,

if your cat has problems after the microwave session and you want to step aside and don't take the warranty, in case the law allows you to step aside and don't take the warranty, then do it, step aside. So in case it's allowed to say no, no, it's your fault if something happens,

I want to say it's fault of the end user if something happens here. Another question in the back? Tom?

So did you change the license only in the paid SUSE or also in OpenSUSE? Also in OpenSUSE, because we don't want to have too many different licenses around, we try to have a common code stream where everything comes from.

And I think it doesn't do any harm if you change it in OpenSUSE too. Actually, we asked him, and he was fine with the change, so we changed it everywhere. And I'd recommend to all the other distributors to also do such a change if you want to avoid swear words. Another question? Common Source has a few nice comments there too, yeah.

But I think it's not really inside the license text, it's just in the comments. There was another question? I'd like to ask, is there a danger with those two permissive licenses that, for example, I can take the source code and change the name of the author

and then I can say, well, he didn't write this, I wrote it. So how does the license help this doesn't happen? This is a danger with the two permissive actually with his license and I think with the previous license too, I can do what I want with that. So if I change the name and claim it was my code and not his,

it is allowed by that license. Good point. Okay, so this one is good. This one is good. So the notice needs to stay and I can add something. So in that case, we are fine, but in the other case here... You're not. You're not.

So we could change the license completely and say, hey, I just invented that. Yes. It's my own. So yeah, that's a two permissive license. It does not protect the original author and it is not very helpful for us because who do we contact if the software has a bug? Maybe the name never shows up again. So this is a good point to see who wrote that code.

Okay, some more questions? It's not really a question, but I just find it ironic for this particular license to do what the fuck you want. Because I think Sam did it in a reaction to all the assholes that are brought by all these intellectual property laws.

And because it's someone who really knows very well the free software licenses. It was a form of DPL. And it is that interaction to all this kind of stuff. And what you are doing is you're taking it back in a proper form for lawyers.

Exactly. That's what you're trying to do. So we accept that some authors do not know how to write a license and we try to help them make it a little bit better. That's one of the main reasons we contact the upstream author too. We could do that on our own and never talk to anybody.

But we want to let him know, hey, your spare words here are not really good. If you like, change it. But he says, no, I actually like that. You can look up his website here. He has some good rationally on that website. He explains why this is a license he likes. So he was fine in that case and didn't want to learn. He was first.

So what happens to this license if that website... If this website mentioned in the end of the license, if it becomes unavailable in a few years, does it somehow devaluate this license? I evaluated that and it is still valid as of today.

But yes, this might happen. So that's one other general concept of licenses. Do not try to have references in the license where you point outside. Everything that you need to say, say it in this text itself. And do not say, I have a statement here, a statement here,

and the rest you can read on my website. That's not a good thing. Because then... So that's exactly the same. Exactly. You looked it up. It is identical. So in that case, there's no additional information here. It's exactly duplicated. So in that case, it's really fine to have a reference to a website. But yes, that's a valid point. One should not use references to include additional information

or additional restrictions. So they might go away and then the restriction is lost and people do things that they never intended. One question more. I'd like to continue because I guess I'm running out of time then. Yeah, yeah. You said you deal with a lot of licenses.

Do you try to contact people who split from those few meaningful licenses? And do you ask them to merge with them so that the number decreases? Yeah, we should. Actually, we have not the time to do that.

We are quite busy in our team to review everything as it is, asking for changes that are not really needed. Yeah, it would be a good thing to do. So if you find something like that, you may want to contact the authors. Currently, we are a team of three. As soon as we're doing that work. So yeah, the best option as I already mentioned is to use a license that already exists.

Obviously, it may be complex to choose correctly. And yeah, there are some details that make it incompatible with other licenses. This is a topic on its own. It needs time to learn, to read such a license.

And I don't want to go into too many details. For example, just one example. Novell legal says GPL version 2 is a good license. GPL version 3 is also a good license. But what Novell does not want is to have the clause or any later version. This could mean that at some point of time, a version 4 comes into existence

with completely yet unknown regulations in there. And we have no control on that. So any Novell software should not automatically switch over to a license, which we not yet know. So this is why we currently say these two are good. But we only say that...

Pardon? Yeah, the GPL license suggests exactly that text. You should say version 2 or version 3 or any later version. But you can modify it because it's not really part of the license, the way how you declare the license. So, yeah.

And this also only applies where we really have a choice of the license. Usually Novell is fine. You just adopt the license of the project for which you work. For example, if you work on a Mozilla-based project, then your license is obviously a Mozilla license. We don't try to get the GPL into Mozilla license package.

Don't do that. Accept the license as it is. That's the best thing. Yeah, there are a few more slides about the technical details. I'm not sure how much overtime I'm allowed to use. So I can run quickly through that one.

If you have licenses and multiple licenses, that's where things get complex. It usually means that you have to look at the interaction of these licenses, how they interact with each other. And there's one concept called mere aggregation, which means there's a package sitting just next to another package,

and they don't interact with each other. They are just on the same media or installed on the same computer. In that case, different licenses with different terms are usually OK. But it gets more difficult when components link to each other. The FSF has a good phrase to explain what is meant by linked

if it is executed in the same address space. This may involve shared linking, dynamic linking. This may also involve scripting languages. Address space is a bit spooky when it comes to scripting languages. But anyway, if you have components that work in the same address space or that are linked against each other,

you have to check every statement in the license, check the other licenses, compare them, make a matrix, make a check, or say, uh-uh, this doesn't work. This gets really complex. And this is our day-to-day job at the SUSE to review these things. I don't want to go into dual license. I already mentioned that this gives the end user a choice to make it easier for such a compatibility matrix.

For licenses, you also have to have your compliance with the license. What do you need to use, for example, your GPL? That's quite a long list, what you have to do if you want to use a GPL. For example, you have to declare whenever you modify the code. You do not need to shout that out, but for us, we do it in the changelog.

And we have the patches there and have the original source. Anybody can compare what was the changes and a few other restrictions on top of that. Press space, yeah. Novel policy, yeah.

I can almost skip that one. It means that developers should read their text for confidentiality notices. This includes restrictive notices like there's a patent mentioned in the source code in a comment. Hey, that's something you have to look for. If the patent is explicitly mentioned, then go to the legal department or come to my team and see if it is a good thing to have that in there or not.

We do some screening on ourselves, but being only a small team, we ask everybody and also our contributors on the build service to do some screening on their behalf. And if something is found that doesn't look right, just come to us, if it makes sense to you.

This is also a statement made by the novel. Seek approval if needed, not generally. And yeah, it gets difficult. You cannot approach the legal department for any little notice you find. Is this a good one? Is this a bad one? So we need to apply common sense here. And for that reason, our little team got established

to handle almost everything that is in the SUSE distributions. Yeah, what we do with the OpenSUSE, this is what I wanted to mention about OpenSUSE policies. We have a list of licenses that we say are good, and this is exactly the list published by OSI.

And these are good. And we have exceptions to that list, of course, on a case-by-case basis. And the other important policy is that we do not review everything that is in the build service. So there might be something that goes away suddenly, in case we get notice that there is, for example, a possible patent infringement if you put your favorite MP3 player there,

and we think, oh, this person, or we don't have a permission to publicly make available MP3 decoder, which is a patented software, then we better ask the maintainer of that to remove it. Or if he has a patent license, yeah, let's share. But usually such a guy has not a patent license for that.

The same thing, and this gets more complex, is now, and I mentioned that earlier, how we do submit requests into the build systems. Now, general concept, how we do legal review if such thing happens, it is, what I want to show here is some two tracks going in parallel.

While the production team, the packager team, does packaging from that from factory until shipment, in parallel, we fork our workflow and do a license review, a detailed license review, and some final reporting, so that we don't delay our production units too long.

That's one of the general concepts I want to say here. We do it in multiple steps. The first part is fully automated. We have some scripts there to try to dig. They're not perfect, but try to dig some keywords and some catchphrases Most time GPL is mentioned, we find that, but in case of the other licenses here,

it's not so easy to automatically find them. This is a first step, and then we have a manual review, where we iterate over the code from time to time. This is a slide, just go to the second one, where I want to compare the internal build service and the external build service.

These two currently exist in parallel, and most people only see this part of the world. And not that part, because this is internal to SUSE. So from these, we do our commercial product range, and from the other one, we do the OpenSUSE product range. And in both cases, we have a review team sitting in between.

Henne mentioned that earlier. This was the original AutoBuild team and the team on my behalf. And for the OpenSUSE build service, we have to define something new, because it doesn't scale to always ask the maintainer. And actually, there's no legal review if just the maintainers decide what to do.

So we have to have some kind of review board there. So this is a bit of dreaming for future, how this could be in parallel, or maybe it's even just one team across both. Perhaps we merge them somehow. That's ideas for the future. So what you might notice of our doings is

sometime a bugzilla may appear on your desk, an email from bugzilla saying, you have a legal issue in SUSE, we found something. Please help us resolve that. Or we directly write email. So this is where we ask for your cooperation or for your help to discuss the issues. We might think are serious or not so serious.

In the initial stage, nobody knows if an issue is really a serious thing or just sloppy writing of something, but the intent was good. So this is where we need to discuss or seek alternatives. Yeah, in some cases, just we go to management and somebody says, take it, not take it. Without any further legal advice, this also happens.

That's not so good. So my final words for today is what I wanted to do with this little talk. Get some visibility, get in contact with people. And if possible, to make our workload easier, share some of our infrastructure.

We have been in contact with the Fedora guys, with Tom Keller, where I don't, is he here? Over there, great. So I come to you afterwards. We talk a little bit and try to find a way how can we do, not duplicate work, but what we already did you should not repeat or need to repeat and vice versa. Perhaps we can make some public forum

like a mailing list or something that we can discuss. On the other hand, I don't want to shout out in the public, hey, we found something wrong in our product. Please come and sue us, everybody. I don't want to do that. I know somebody who already did some blogs and said something like that. It's a bit scary. It may be good for Fedora, but it's not so good for Novell.

Yeah, that's basically it. My first step is taken today. Thank you for listening. Questions.

Okay, so I have this very trivial program and as you told us, I should give him a license. So what license do I choose? I don't want 25 kilobytes of GPL for 300 bytes of C code. If you write a trivial program, which is just a few hundred lines of code,

and you go through the novel policy, the novel policy says this should be GPL 2 or 3. In that case, you're in lucky position that you're in German and not everything you create is automatically owned or Novell automatically acquires the rights for that.

So you can choose in your free time. In your free time, use your license what you want. Use a simple one. If you like that one, sure. Allow me to add to your answer that in order to just compile a program, you need a license. The act of compiling source code requires a license.

So pick one. Yeah, so code that comes without a license is nothing anybody else could use. So yeah, everything should have a license. It should be clearly stated. That's the basic message here. Okay, so if you have any further questions, I'm available outside to make room for the next talk.

Thank you for the patience.