author | Phoebe Coordinating editor | Du min
Produce | CSDN（ID：CSDNnews）

The open source protocol is the foundation of the open source world . according to CSDN《2021-2022 China developer Survey Report 》 data display , Although there are 94% Of developers use open source software , But nearly 30% Developers don't understand open source protocols ,60% For mainstream open source protocols MIT、GPL And Apache The difference between open source protocols is not clear .

With the rapid development of open source in recent years , Open source violations at home and abroad are also emerging in endlessly ：color.js The author deleted the library ;node-ipc In the name of anti war, the author poisoned the code ; As China's first clear GPL3.0 The legal effect of the agreement “ Luohe Fengling case ”, Fengling is accused of not respecting open source rules … Various cases have made us more and more aware of the grim situation of accelerating the legal compliance of open source . Open source software is pursuing “ free ” At the same time , The interests of open source workers cannot be sacrificed , Otherwise, their creative passion will be affected .

that , Where are the legal boundaries of open source agreements , How to avoid stepping on thunder ？ Facing the endless stream of open source protocols in the market, how should open source developers choose ？ How to avoid the compliance risk when enterprises use open source software ？

In this issue CSDN Build an open source live program 《 Open source Roundtable 》 With “ Change the agreement 、 Delete library 、 Poisoning , The red lines of open source must not be trampled ？” The theme of , Invited to the open source society 2021 Chairman Zhuang Biao Wei 、ASF Member, Apache Incubator tutor Guowei 、 Senior intellectual property lawyer Dengchao , stay CSDN《 New programmers 》 Under the chairmanship of tangxiaoyin, executive editor in chief , Let us know where the red line of open source is , And how to avoid open source risks .

Where to start with the dazzling open source protocols ？

Tang Xiaoyin ： What are the mainstream open source protocols on the market at present , What are the characteristics of ？

outer wall or surrounding area of a city Wei ： For which are the real open source protocols , There have also been many controversies recently , In particular, the U.S. Court ruled that “ Not obtained OSI（ Open source Promotion Association ,Open Source Initiative, abbreviation OSI ）‍ The licensed open source is 「 Fake open source 」” The incident triggered a heated debate . But generally speaking , Mainstream open source protocols generally go through OSI recognition .

Mainstream open source protocols include ：GPL、BSD、MIT、Apache License etc. , There are several important elements in the agreement ：

The first is the responsibility of open source ;

The second is whether it is necessary to open source when it comes to secondary propagation , And what name should be used to open source ？

at present , Our Chinese Mulan loose license is also OSI Approved , therefore , You can OSI Select the open source protocol related to you on the standard website .

deng super ： From a legal point of view , Chinese “ Open source ” And English “Open Source” Is a common word , Anyone can use , Can not be monopolized by anyone . And only OSI The certification , To have OSI The trademark of .OSI Can be listed 10 A standard , And certify some licenses according to the standards , You can say that these licenses are OSI The certification , however OSI No monopoly “ Open source ” The word . because “ Open source ” It's like “ coke ” The same word , Anyone can use , It only involves “ Coca Cola ” Only then is has used its trademark .

I personally don't think “ Open source ” and “OSI” Can draw an equal sign , If everyone thinks that only OSI Only certified protocols can be called open source , In fact, it is equivalent to “ Open source ” The word is proprietary .

Tang Xiaoyin ： What are the differences between the mainstream open source protocols , And using these License when , What are the precautions ？

outer wall or surrounding area of a city Wei ： This is a picture I drew , Common licenses are classified , Mainly from two dimensions ： First, from the point of view of whether to modify the code to comply with open source ; The second is whether the use of services follows the perspective of open source .

From these two perspectives , Different agreements have different requirements .

On the whole , There are many open source protocols , However, the selection can be considered according to their own purposes . If developers want to commercialize , Then you can choose... On the right BSD、MIT、Apache Such agreement , You can build your own commercial software based on these open source software , There is no need to open source your commercial software again . But here's the thing , image Apache agreement , It is necessary to place the copyright notice before modification . For example, a large factory used Apache Sky Walking, It is not stated that Apache agreement , The result was a warning .

If developers use open source software only as users , Then use the one on the left GPL Just wait for the agreement , For example, the most typical MySQL Namely GPL Agreed . be based on MySQL Pack it in your own company and use it at will , But if you want to package it as a commercial software, you must also open source it .

deng super ： About precautions , In my submission ： First , We need to be aware of copyright . Use anything you don't create yourself , Get permission .

For example, why can we download wechat for free and legally ？ This is because the user is downloading , In the user agreement, a “ I agree with ”, This is the most familiar and unfamiliar contract . Although everyone signs this contract every day , But no one looked at the details of the contract . actually , Click on “ I agree with ” Is to sign an intellectual property licensing clause , Tencent allows users to keep copies of wechat programs on the premise that users agree to the terms of the agreement .

Analogy to source code , What we need to observe is License. So in understanding , We should attach great importance to , You should know something about these basic common license agreements .

Open source licenses “ Red thread ” On a large scale

Tang Xiaoyin ： What kind of legal effect does the open source license agreement have ？

deng super ： Although China has no specific laws on open source , But open source is not outside the law , From the perspective of software intellectual property , There are laws to follow . Contract law 、 The civil code can cover . Under the civil law system , Open source license and user license agreement for common software 、 A service agreement is essentially a contract , It's just a standard , A standardized non-negotiable contract . If you accept this contract , It can be used according to the contract , If you don't accept , You can't use it .

outer wall or surrounding area of a city Wei ： Speaking of abiding by the agreement , I think it's really dangerous . How many companies in China will MySQL Package it as part of your own software and sell it , This seems very common , If Oracle Want to pursue , It is certain that one will catch the right thing . According to the agreement , If you didn't buy Oracle Of License, You can't MySQL Packaged and sold as part of commercial software , But many Chinese enterprises are doing this , They may not even know License Where is the power of , I think we should gradually get to know each other .

Tang Xiaoyin ： Developers ask questions , Company intranet use MySQL What kind of specifications are there ？

outer wall or surrounding area of a city Wei ： For the company intranet MySQL No problem , But you can't package it as part of your company's software , And carry out external sales .

Tang Xiaoyin ： Is it legal to use the community version of open source software when developing for your own use within the company ？

outer wall or surrounding area of a city Wei ： You need to be careful when using the community version of open source software , To see the specific use of open source software in the community Licence What is it? , Carefully identify the source of each part of the software .

For example, there are some software , Ostensibly used is Apache Licence, But it uses GPL Software package , So this project is not simply caused by Apache Licence under . Software authors and users who don't notice these things , May not be aware of the need to perform GPL Obligations under the agreement . So I personally recommend you to use projects under various open source foundations , In fact, in order to ensure that everyone is using Licence I feel at ease when I'm here , Projects under the open source foundation are screened , There are many “ Ladies and gentlemen ” I checked for Xiaobai .

Zhuang Xiuwei ： I want to make a point for business managers ： The vast majority are untrained 、 I don't know about open source License Programmers on legal issues related to open source , In order to finish their work , You may find corresponding software packages and components on the Internet , It will be put into use after modification . At first, this project may only be for the company's own use . There may be a need for commercialization in the later stage , The code is packaged and sold . So there are many unknowns , Caused a potential safety hazard .

From the perspective of enterprise managers , First educate your developers , We should pay attention to the legal issues related to open source in our daily work . Of course, it's not just about educating them , We must also establish an open source governance mechanism within the company , Instead of waiting until software becomes a commodity . In the process , Enterprises need to pay the cost , But the reason why many enterprises embrace open source , It is precisely because I feel that open source is zero cost . They didn't think about , Whether to use 、 modify 、 Distribute again , May bring security risks and legal risks , To avoid risks , You have to pay the cost .

Tang Xiaoyin ： Does lawyer Deng know about Mulan's loose agreement , Can you tell us the legal effect in China and the difference between it and other agreements ？

deng super ： The Magnolia license is essentially no different from other open source licenses , But the meaning of Mulan license is that it is a Chinese Licence.

Now the mainstream foundations are mainly American . When we programmers and legal professionals understand foreign licenses , First, we will face the language barrier . The license agreement is more than just a legal document , There is also a lot of technical content , It will also cause obstacles to the understanding of legal personnel . The Mulan agreement serves as a license for Chinese , It is easier to understand and promote in China .

Tang Xiaoyin ： Disputes about the license agreement related to cloud services , Such as SSPL Why not be OSI recognition ？

outer wall or surrounding area of a city Wei ：SSPL Although it is free to use and modify the product source code at will , But there is a basic requirement ： That is, if the user is based on SSPL The code under the agreement provides cloud services and external services , You must also publicly publish any changes and the source code of your own management . And it is not OSI recognition , Because OSI Yes 10 A rule , Among them is 1 It is not allowed to discriminate against certain types of users , Because this situation is equivalent to discriminating against those who use open source software to do cloud services , So it was not OSI recognition , But this is also controversial .

deng super ： Actually speaking from the contract , There are also some misunderstandings about the agreements under cloud services in China , My personal opinion is ： The cloud service related agreement is not a license agreement .

for example ,GPL The trigger for is to distribute the code , For example, download an object code locally , Or in GitHub The condition is triggered only when the source code is retrieved , The condition for legal use of these codes is to obtain the permission of the obligee .

But in the context of cloud services , It's not an agreement that allows you to get code . In cloud services , For example, when we visit iqiyi on the web , Almost all code runs in the cloud , User did not get source code , So there is no such license . The right that the user pays for is only the right to access or access the service , It is not a license in essence , It is a network service agreement or network service contract , Like iqiyi VIP Like a member .

So from the legal nature , It is different from the traditional license agreement , Of course, it is often said in the industry that it is a cloud service license , But legally it is not a license .

outer wall or surrounding area of a city Wei ： At present, domestic cloud service providers do not have problems with the agreement , But there are some phenomena that people often play the edge ball . For example, in Apache Licence In the agreement , Regulations Apache The name of this software belongs to Apache Foundation's , therefore ,Apache Related names cannot be used for business activities . Cloud vendors don't seem to care much about this , So there are some “ Rub the name ”、“ Rubbing flow ” act , There's a problem .

Tang Xiaoyin ： When it comes to renaming , It reminds me of the beginning Java Great reputation , later JavaScript The appearance of the is suspected of rubbing the name . In the technology circle, changing the name to rub the traffic is not unique today , So what kind of circumstances should be condemned by morality and law ？

outer wall or surrounding area of a city Wei ： The use of names can go back to the open source protocol itself . Some open source protocols allow for similar names , Such as MIT agreement . So there's no problem using the same name . But like Apache The agreement does not allow you to use its name , So there will be a problem if you rub the traffic of the name again , This is related to the agreement itself , It's not that all names are problematic .

Tang Xiaoyin ： Some users mentioned , My own software company uses some dependent packages , Some of these dependency packages are Apache Agreed , Part of it is MIT Of , Part of it is BSD Of , The other part is LGPL Of , So how to choose the license for his open source project ？

outer wall or surrounding area of a city Wei ： According to the picture I just showed , The strictness of open source protocols is increasing step by step , And it exists “ Backwards compatible ” The phenomenon of . For example, the four agreements he mentioned , From loose to strict MIT、BSD、Apache、LGPL.

therefore , If several protocols exist at the same time , Generally, only the strictest agreement can be used . For example, the strictest protocol used by the above open source software is LGPL agreement , Then your software should also use LGPL agreement . If the code is modified based on the software , You have to follow and use LGPL Open source agreement . But if you only use its class library , No code changes , Then there is no trigger LGPL Conditions for entry into force , Therefore, it can not be open source , meanwhile , You can choose a more relaxed layer of protocols Apache agreement . But here's the thing Apache The agreement requires that copyright notices must be placed .

deng super ： One side , As great Xia Guo said , Open source software is under both strict and loose agreements , It must be subject to strict agreement requirements .

On the other hand , In addition to meeting the requirements , What kind of license to choose is still subject to specific analysis . For example, some kernel software , Maybe choose GPL It will be better , For example Linux kernel . However, if it is a business software or library, you may choose LGPL Will be better . On the premise of compatibility , The license can be modified for commercial purposes . Because a license is a contract , When you feel that this contract does not meet your business needs , You can also write the contract yourself , Or entrust an external lawyer to write .

How to prevent falling into the trap of open source ？

Tang Xiaoyin ： Some time ago ,color.js The author deleted the library and ran away GitHub The event of seal , as well as node-ipc The author's poisoning of open source code in the name of anti war has aroused heated discussion . So you are right “ Delete library ”、“ Poisoning ” What do you think of such incidents ？

Zhuang Xiuwei ： First of all, whether it's “ Delete library ” still “ Poisoning ”, It is very bad behavior in the community , But at present, there seems to be no specific law to restrict it , Unless “ Delete library ” or “ Poisoning ” It really caused personnel or economic losses , Then you can sue directly , But before that, there was really no way to take him .

The examples we can see usually stay at the level of condemnation , If the database deletion developer is GitHub Title .node-ipc The author's account has not been blocked yet , But his private life has been fully exposed . The reason is that he provoked public anger , It makes him popular in the whole social network and open source circles “ Social death ”, This is a very sad thing , Although in real life, we can't do anything about him , But on the social network, he's embarrassed .

outer wall or surrounding area of a city Wei ： Most open source Licence There is a disclaimer in the , namely ： Use this code if any damage is caused , It has nothing to do with the original author of open source . So legally speaking , We can't hold the author accountable . On the moral level , The author must be wrong . How should users avoid this problem , I still advocate using the top projects of the foundation , Or find more contributors 、 Projects with well-known contributors , Best of all, its project runs for a long time . Carefully select projects controlled by a few oneortwo people , That's a big risk . If you are too lazy to do your homework , You can find the foundation project directly , But if you have some discrimination , It is necessary to carefully study the background of the project contributors .

deng super ：“ Poisoning ” Conduct may be criminally liable , Because it may illegally obtain personal information , Or the crime of destroying computer systems . at present , Maybe the public security system is not deep in the open source field , But with the gradual strengthening of the police technical investigation section , I think it is possible to judge him to be criminally responsible . Although there are no similar cases now , But if there is an event of great influence in the future , There is still a risk of criminal responsibility .

outer wall or surrounding area of a city Wei ： I want to ask lawyer Deng a question , Because open source Licence There are exceptions to protect the author , So, with the special fire before Log4j For example , This loophole was not intentionally made , But suppose it caused a company to be attacked , This has resulted in huge losses , If the author of this open source software is also Chinese , Then it will be because Licence Is there a protection clause in it to avoid liability ？

deng super ： Open source Licence The exemption clause is just a civil law concept . As a contract , It is only for relative people , That is, the author and the user are binding , It has nothing to do with other people . However, once the act endangers the society and causes serious losses, it may involve criminal law , Then the agreement in the contract can not constitute exemption in criminal law . But the criminal law needs to meet the conditions of subjective and objective consistency . such as “ smuggle ” Drugs require me to have “ smuggle ” The will of drugs . If I was on the plane and someone put drugs in my bag , I don't know , Even if the drugs are smuggled by me objectively , Nor can it be held accountable in criminal law . So if the vulnerability is not the intention of the author , It's just a Bug, Even if it causes serious losses , There is no criminal liability .

Tang Xiaoyin ： When faced with these open source red lines , What advice can you give to developers ？

Zhuang Xiuwei ： I used to read a book about the growth of the developer community , This book talks about the early open source community in which there were many open source enthusiasts , At the beginning of the open source agreement, we began to study the legal provisions , So we found that there are very similar places between procedural thinking and legal thinking .

therefore , I highly recommend that developers with strong logical thinking of the program also learn legal knowledge , The law is not only interesting but also helpful to our work .

outer wall or surrounding area of a city Wei ： Open source is not free , In the process of using, you must see clearly the open source License. If it belongs to “ The small white ” The developer of the , It is safe to go to the foundation to start the project . If you are a professional developer , It is recommended to see the License, Only in this way can we know how to use the software .

Open source talent view

Tang Xiaoyin ： Various roles are needed behind the development of open source in China . In today's open source world , What kind of talents are needed ？ What suggestions do you have for open source talents ？

Zhuang Xiuwei ： One side , I think any knowledge can be applied to open source , For example, I am studying sociology recently 、 Anthropology 、 economics 、 Law, etc , These can be used in open source , Open source needs people from all walks of life .

On the other hand , Open collaboration is the essence of open source . When you collaborate in an open way , It's usually better than closed collaboration or going it alone . Open collaboration can collaborate in any field , In this process, there will be a lot of possibilities and a lot of gains .

outer wall or surrounding area of a city Wei ： China has a particularly good 、 Diligent developers have made various innovations and iterations , I think this is the advantage of open source in China . however , We still have a shortage of talents in the open source field ：

The first category is Items that can find pain points Leader. Today's open source talents are too technology oriented , The product ideas and requirements behind the open source project are the soul of the open source project . However , Be able to understand both technology 、 Product thinking , Can also have leadership projects Leader It is the most lack of talents .

The second type is Preacher . How to better promote open source software after it has been developed , You need a person who understands the product itself and can tell the advantages of the product , Finally, we can organize talents in the community , The preacher .

The third kind is Product talents . The current open source circle lacks many people with product thinking . At present, the open source community is mainly based on technology , Product talents are less likely to be recognized by the open source community , Therefore, this kind of people is also relatively lacking , We should also pay attention to .

deng super ： I think we need some international talents , So as to help China establish the influence of open source in the world .

The above is the current issue 《 Open source Roundtable 》 The whole content of , After reading the discussions of the experts , I believe you can also realize that open source governance has reached an urgent moment . Understanding the legal boundaries of open source agreements can help open source contributors defend their rights , At the same time, it can make open source users aware of the need to comply with the obligations under the agreement . Only by defining the boundary , Open source ecology will be healthy 、 The direction of the sun .

For playback links, see ：https://live.csdn.net/room/csdnnews/oj9jFoKJ

《 New programmers 001-004》 Fully listed , Welcome to scan the QR code below or click to enter Subscribe now , You can enjoy e-books and exquisite paper books