Managing the Android Supply Chain and the Role of SPDX

2,158 views
1,854 views

Published on

Android has revolutionized the mobile and device landscape and like many FOSS projects, Android is complex. Effective management and control requires training, tools, processes and standards. The SPDX standard will reduce friction in the mobile supply chain, increase efficiency and promote compliance.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,158
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Welcome to the session. Great to be hereI’m EVP for Product Development and Strategy at Black DuckWe have a number of Customers that are producing Android devices and applications.Share with you information and issues about the Android Supply Chain, Open SPDX and OSS Licensing. However I am not a lawyer and don’t give legal adviseYou can stop by the Booth to learn more and will also give you pointers to additional information
  • Android is the clear winner and represents a huge market opportunityShows the power of OSS and community development
  • License compliance has been in the news recently
  • This is the Google Android Architecture diagramRun time on virtual machine External components like webkit and SSLApplication developers and device manufacturer will innovate at different places in the architecture as indicated by the yellow dots.Device Manufactures will modify lower in the architectureThe issue is depending on what you change, and what license the component is licensed under will dictate a set of obligations.
  • Bionic library – Declared license: BDSGoogle developed a custom library for the C compiler (libc) called Bionic. This was necessary for three main reasons: License: they wanted to keep GPL out of user-space. Bionic code uses the BSD license. (Hal Note – glibc is under the LGPL)Size: the library has to be loaded in each process, so it needs to be small. Bionic is about 200K, or half the size of glibc (the GNU version of libc).Speed: limited CPU power means it needs to be fast. Bionic has a small size and fast code paths, including a very fast and small custom pthread implementation.Bionic has built-in support for important Android-specific services such as system properties and logging. It doesn’t support certain POSIX features, like C++ exceptions and wide chars, which were not needed on Android. Thus it’s not quite compatible with the gnu libc. All native code must be compiled against bionic, not glibc.Bionic – google rewrite of c libWebkit – Declared license: LGPLOpen source web browser engineTool Kit for web functionalityIn both cases it is important to look below the declared license
  • Meeting obligation working with a supply chain in a dynamic environment makes complying with OSS obligation very, very challengingLegal council and Black Duck haven been approached with the question “This is a small device without documentation do the obligations apply to me”?If you ship a device with OSS in it, that counts as a distribution and the licenses and obligations apply to you. No exceptions for small devices or how little room on device for complianceWith the rapid product release cycle, products change frequently it becomes a real issue to match the precise source code to a device serial number. Must find a way to manage source code inventory and distributionReal benefit from open platform but If you ship the product you have the obligation. There is duplicate work being created my multiple vendors. There is an opportunity for industry collaboration. I speak about such an effort in two slides. No downstream defense for upstream violation. Some have thought well I got the code from someone else it is there responsibility to comply . Turn over responsibility for source code available or copyright obligation. Each organization is the supply chain is responsible for their own compliance.The only way to handle this obligation is top have a solid tracking and inventory system in place. Don’t want to duplicate work
  • Great discussion in the industry about app stores. License compatible, source code available, notifications, warranty, indemnificationHow to mange compliance while still enabling low cost distributionWill compliance with obligation raise the price of the application.Puts a cost and burden on the communityFSF in Europe has a focus group on app storesiTunes Terms of ServicePlaces an additional obligation on the software that it must be licensed for use on a single device.The GPL doesn’t allow for additional obligations.EbenMoglen – Founding director – SFLCVLC media player removed form iTunes in January 2011 for this reasonAndroid StoresGoogle Android store appear to be compatible with the GPL.Focus on lower cost applicationsNotice type of approach
  • Managing the Android Supply Chain and the Role of SPDX

    1. 1. Managing the Android SupplyChain and the Role of SPDXBill McQuaideEVP Products and StrategyBlack Duck Software.
    2. 2. Agenda FOSS in Mobile Trends Device Manufacturers Application Developers Supply Chain Management SPDX Summary Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 2
    3. 3. Open Source Drives Mobile Innovation New Mobile OSS Projects4000  Over 3,800 new OSS3000 projects in 2010,2000 doubling each of the last 3 years1000 0 2005 2006 2007 2008 2009 2010  94% of new projects that specify a platform New 2010 FOSS Projects by are targeting Android Platform and Apple/iOS Blackberry Windows 2% Apple iOS 2% 39%  Open source has Palm/Web OS Symbian 1% redefined the mobile Android 1% industry and is spreading far beyond 55% Meego/Maem o 0% Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    4. 4. Android is a Large, Growing Opportunity O/S Market Share: Q2 201150 43.44030 22.1 18.220 11.710 1.9 1.6 1 0 Android iOS RIM Symbian Bada Microsoft Other (Nokia) (Samsung) Share Gain (Loss) 2010 to 2011 • 428.7 million units 30 26.2 • 16.5% growth form Q2 ’10 25 20 15 Source: Gartner, August 2011 10 4.1 5 1 0 -5 Android iOS RIM Symbian Bada Microsoft Other-10 (Nokia) (Samsung) -3.3 -2.2 -7-15-20 -18.8-25 Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 4
    5. 5. Android Devices: Phones, Tablets, eReaders,Autos, more….. Lenovo LePad Barnes & Noble NookAutomobile: Android powered SaaB Droid by Motorola Samsung Galaxy Dell Streak HP Touchpad HTC Evo Shift Motorola Xoom Sony Internet TV Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 5
    6. 6. Managing FOSS in the Android Ecosystem and Software Supply Chain Suppliers Device OEM OS/Software Stack/Device App Developer Typical Smartphone has over 300 components Corporate-Owned IP Security Proprietary/Licensed IP Networking FOSS Email Outsourced development Graphics Multi-level supply chains Database Web Services Many more…6 Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    7. 7. Android Compliance is a Concern “The vast majority of Android tablets Ive been able to find are shipping without any source being made available, and that includes devices from well-known vendors. “ Matthew Garrett, Red Hat, Linux Kernel DeveloperSource: //www.codon.org.uk/~mjg59/android_tablets/ Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    8. 8. Agenda FOSS in Mobile Trends Device Manufacturers Application Developers Supply Chain Management SPDX Summary Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 8
    9. 9. Complexity for Device Manufacturers Components and code from many suppliers Need to control and manage building software on a rapidly changing O/S – Multiple releases per year Customize Android for: – The type of device (phone, tablet, TV, etc.)  Device drivers, power consumption, etc. – User experience Do it all while ensuring compliance Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    10. 10. Android & Vendor Innovation Developers Typical areas of vendor/developer innovation Source: Google - //source.android.com/ Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    11. 11. What’s Inside Android?Android 165 Projects – 83 are “External” – Does not include Kernel Mirror Total Size – Over 80,000 Files – Over 2GB total size – Does not include Kernel Mirror Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    12. 12. Android’s Composition Licenses – Declared license: Apache 2.0 – Components reference 19 different licenses – External components  Linux, Webkit use reciprocal licenses (GPLv2, LGPL) – Other components: more than 30 of them use reciprocal licenses (GPL, LGPL, CPL, etc.)  e.g. dbus, grub, emma, e2fsprogs, bluez, Bison – Non-OSI approved licenses are used, including OpenSSL and Bzip2 Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    13. 13. A Look Inside Two Android Components:Bionic & WebkitLicense types in: Bionic License types in: WebkitBSD 2.0* BSD 2.0CMU License David M. Gay LicenseCryptix License GPL 2.0Free clause ICU LicenseFreeBSD LGPL 2.1*Historical free MIT License V2INRIA OSL MIT v2 with Ad Clause LicenseIntel OSL Mozilla Public License 1.1Internet Software Consortium PCRE LicenseMIT Public DomainPublic Domain SWIG LicensePython InfoSeek The wxWindows Library License zlib/libpng LicenseX.Net License *Declared license Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 13
    14. 14. Obligations and Misperceptions  No “small device” exceptions  Must provide source for the specific device  Compliance is required by every vendor that ships the platform  There is no “downstream defense for upstream” violations Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    15. 15. Agenda FOSS in Mobile Trends Device Manufacturers Application Developers Supply Chain Management SPDX Summary Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 15
    16. 16. App Stores and FOSS Licenses GPL licensed app’s can not be distributed through the Apple iTunes Store (or any store that imposes restrictions) – Apple ToS (terms of service) require that all software be licensed for use on a single device only – “Copylefted software can’t be un-freely relicensed, so it can’t be transacted for under Apple’s current ToS” Eben Moglen, SFLC – Just like GPLv2, GPLv3 prohibits distributors from placing additional restrictions on the software through legal documents or similar means” Brett Smith, Free Software Foundation Android stores – “So far as we know…the Google Android market… do not place any limitation on how a market participant’s application is licensed that would inhibit distributing Android applications in the market under copyleft licensing.” Eben Moglen, SFLC Permissive licenses (e.g., Apache, MIT, BSD) appear to be compatible with app store Terms of Service Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 16
    17. 17. Agenda FOSS in Mobile Trends Device Manufacturers Application Developers Supply Chain Management SPDX Summary Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 17
    18. 18. Software Supply Chain Management Open source is typically outside of normal commercial s/w procurement processes The Challenges – An increasingly diverse and distributed set of development resources  Internal teams  Commercial software vendors  Outsourcers  Open source communities – Little/no visibility into the origins of the software Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 18
    19. 19. Example Supply Chain Business Process Item Need Purchase Determined Req. Created Planning Purchase Req. Approval Order Consumes Purchase Order the items Created & Sourced Production Requests to use Items for Order Item Arrives in Receiving QA Inspects & Releases to Inventory Transfer Order and Inspection Order Created Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    20. 20. Supply Chain Comparison: HW vs SW HW Supply Chain Techniques – ERP systems brought together different users and processes – Workflow automates task creation  Notifications  Process Monitoring – Central repositories of data – Business Process Integration is the key Technology companies have software supply chains Software products have bill of materials (BOM’s) Similar roles and events – Materials Planner = Product Management – Purchase Req’s = Component Approval Request – Warehouse = Source Code Management – Quality Assurance = Numerous types of code analysis – Procurement Approvals = Legal & Compliance Approvals – Shop Floor Production = Engineering Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    21. 21. Example Software Development BusinessProcessNeed for a component is identified Component Approval Request Created New License initiates license review Verifies License Approved with Compliance Conditions for Use for Release Implements Component Conditional Approval Granted Perform Risk Assessment, Security Reviews and Export Compliance Reviews Review Business Case, Support Options and other Criteria Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    22. 22. Best Practices for Managing Android Policy Process Technology Adopt and enforce an open source and third-party code policy Identify and track all external code that is used Automate validation at the point of acquisition and development Automate monitoring and tracking of Android components Control the use of components and promote standardization, support standards (SPDX) Use automation tools to produce complete Bills of Material and reports for supply chain partners Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    23. 23. Agenda FOSS in Mobile Trends Device Manufacturers Application Developers Supply Chain Management SPDX Summary Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 23
    24. 24. Software Package Data Exchange™ (SPDX™) Working group of the Linux Foundation Charter:  Create data exchange standards to enable license and component information sharing (metadata) Participation from over 16 organizations including software, systems and tool “SPDX is a crucial vendors, consultants and foundations building block in an industry-wide V 1.0 Released August 2011 system of automated license compliance administration” Eben Moglen, SFLC Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    25. 25. SPDX™ MembershipOpen Source OrgEnd-UsersIntegration & ServicesDevice OEMsApplicationsOS DistributionsSystemsSemiconductors …and others Participation is from a range of organizations and across various roles Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 25
    26. 26. The Need I don’t mind vetting our code, but I’m sure this package has Every customer Our suppliers been analyzed a aren’t giving us wants a bill of dozen times materials in acomplete licensing before. information. different form. software in software out We need a standardized adopted format for a FOSS Bill of Materials Copyright © 2011 Black Duck Software, Inc. All Rights Reserved. 26
    27. 27. The Solution Define a file format for license information to accompany open source packages – Focus: Just the facts – no interpretations Benefits – Allows easy exchange of license information between companies reducing burden on both suppliers and consumers – Avoids due diligence redundancy where the same source code package is analyzed multiple times by different receivers – Provides a unified method for exchanging license information Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    28. 28. Summary Android has revolutionized the mobile and device landscape Like many FOSS projects, Android has complexity inside Effective management and control requires training, tools, processes and standards The SPDX standard will reduce friction in the supply chain, increase efficiency and promote compliance Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    29. 29. Information Resources Webinar-based education: – www.blackducksoftware.com/webinars/legal/ – Introduction to Open Source Licenses – Understanding the Top 10 Open Source Licenses – Unraveling the Complexities of the GPL Black Duck Android white paper & webinar – www.blackducksoftware.com/android – www.blackducksoftware.com/webinars/legal/android.html Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.
    30. 30. Thank You bmcquaide@blackducksoftware.com
    31. 31. Supply Chain Program Elements1. Published Policy2. Open Source Process Owner3. Approval Processes4. Monitoring & Tracking Process5. Obligation Verification Process Copyright © 2011 Black Duck Software, Inc. All Rights Reserved.

    ×