Managing Open Source Software
Supply Chains
Managing Open Source Software Supply Chains
Agenda
• Introduction
• Identify the ten most common open source license oblig...
Managing Open Source Software Supply Chains
Ten Most Common OSS License Obligations
• Copyright notices
• License notices
...
Managing Open Source Software Supply Chains
How to Comply – Notices
• Copyright, license, modification, and attribution
re...
Managing Open Source Software Supply Chains
How to Comply – Source Code
• For GPL, LGPL, and other copyleft licenses
• Sou...
Managing Open Source Software Supply Chains
How to Comply - Licenses
• Need to carve copyleft licensing requirements from
...
Managing Open Source Software Supply Chains
Key Compliance Challenges
• Tracking open source use
• Notice creation
• Notic...
Managing Open Source Software Supply Chains
FANTEC Litigation
• Plaintiff: Harald Welte of gpl-violations.org
• Open Sourc...
Managing Open Source Software Supply Chains
OSS Supply Chain Trends
• More customers are requiring suppliers to share the
...
Managing Open Source Software Supply Chains
OSS Supply Chain Context
Component
Catalog
Supplier
Software
Package
---------...
Managing Open Source Software Supply Chains
OSS Supply Chain Solutions
• SPDX - Software Package Data Exchange®
• A standa...
Managing Open Source Software Supply Chains
• Supports exchange of
component and license
data in RDF/XML or
Tag/Value form...
Managing Open Source Software Supply Chains
OSS Supply Chain Data
• SPDX provides a “container” for exchange of
component ...
Managing Open Source Software Supply Chains
OSS Supply Chain Solutions
A basic system should be:
• Adaptable to existing e...
Managing Open Source Software Supply Chains
ABOUT-Code
• nexB created the ABOUT-Code tools to automate OSS
compliance
• Ba...
Managing Open Source Software Supply Chains
ABOUT File Example
A text file in “tag / value” format
httpd-2.4.3.tar.gz.abou...
Managing Open Source Software Supply Chains
ABOUT-Code tools
• Create ABOUT files in a codebase from a Software
BOM or Inv...
Managing Open Source Software Supply Chains
“Virtuous” Compliance Lifecycle
Product
Release (R1)
Baseline
R1 Software
Inve...
Managing Open Source Software Supply Chains
Basic Automation - Today
• Use ABOUT-Code to read ABOUT files to
• Create a So...
Managing Open Source Software Supply Chains
Advanced Automation
Enhance your build system and tools to:
• Recognize ABOUT ...
Managing Open Source Software Supply Chains
ABOUT-Code
• Download and use the code from GitHub at:
https://github.com/deja...
Managing Open Source Software Supply Chains
Questions
Managing Open Source Software Supply Chains
About Greenberg Traurig LLP
• GT is an international, multidisciplinary law fi...
Managing Open Source Software Supply Chains
About nexB Inc.
• nexB offers:
– Software analysis/audit services for products...
Managing Open Source Software Supply Chains
DejaCode.org
• nexB is sponsoring DejaCode.org as a community site
to share te...
Managing Open Source Software Supply Chains
Contacts
• Greenberg Traurig
Heather Meeker
MeekerH@gtlaw.com
+1 650 289 7825
...
Upcoming SlideShare
Loading in …5
×

Managing Open Source Software Supply Chains

1,272 views

Published on

Heather Meeker and Michael Herzog discuss the latest trends in open source compliance for supply chain activities: the key legal issues for supply chain management as well as the latest automation tools and projects for open source management.

Agenda

• Legal issues for supply chain management
• Best practices to avoid claims and reduce risk
• Latest automation tools and projects for open source compliance management

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,272
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • OSS Compliance is always in some supply chain contextBecause most obligations are triggered by distribution of the software
  • Think about the subset of Deployed components from the beginningPrecision may be difficult, but accuracy at library level is most critical informationThere are commercial tools (plugins) for major software development systems (Maven, Atlassian, etc.) but these do not usually automate compliance
  • Engineers cannot / will not track OSS using spreadsheetsEnterprise approval/tracking systems are far from the actual code
  • Format based on plain text and simple conventions: name/value pairs separated by a semi-colonEasy to read and write for human and or processed using a scriptSyntax based on RFC5322 (email header fields)Well-defined and extensible so that it can be used for basic or advanced (build system) approaches to compliance automation.An ABOUT file is stored in the same directory as the software component it documentsNo need to change the code you document.
  • Supports integration with DejaCode License LibraryWill support creation of SPDX files
  • Depends on policies and standards, such as format for Attribution text and where you provide/display itIterative process to refine the compliance deliverablesBasic approach may be good enough for many products
  • Advanced approach is best suited for software groups with an integrated build and continuous integration approachExisting tools may provide part of a solution already – highly dependent on language/platform and toolingKey benefit can be automatically applying policies to prevent Deployment of components based on license
  • Managing Open Source Software Supply Chains

    1. 1. Managing Open Source Software Supply Chains
    2. 2. Managing Open Source Software Supply Chains Agenda • Introduction • Identify the ten most common open source license obligations • Explain what you need to do to comply with these obligations • Discuss the key compliance challenges today • Discuss open source software supply chain trends • Preview a new tool for basic compliance automation • Questions
    3. 3. Managing Open Source Software Supply Chains Ten Most Common OSS License Obligations • Copyright notices • License notices • Attribution requirements • “Copyleft” obligations (licensing of derivative works) • Source code licensing • Source code delivery • Build and installation instruction delivery (GPL) • Notice of changes • Indemnities • Non-use of trademarks
    4. 4. Managing Open Source Software Supply Chains How to Comply – Notices • Copyright, license, modification, and attribution requirements • Delivery of source code may be the easiest way to comply, because notices are “baked in” to distribution package • Binary delivery requires creation of notice files • Notices must be in the product delivery, for most licenses • Online delivery is usually not sufficient • Relying on third party notices is usually not sufficient
    5. 5. Managing Open Source Software Supply Chains How to Comply – Source Code • For GPL, LGPL, and other copyleft licenses • Source materials must be made available, but not necessarily delivered with product • Not necessary to post source materials on the web, but this is a good practice
    6. 6. Managing Open Source Software Supply Chains How to Comply - Licenses • Need to carve copyleft licensing requirements from EULAs • GPL, LGPL and other licenses cannot be changed to other terms • “Weak copyleft” licenses like EPL, MPL allow bifurcated licensing of source and binaries
    7. 7. Managing Open Source Software Supply Chains Key Compliance Challenges • Tracking open source use • Notice creation • Notice delivery • Build and installation instruction delivery • Ensuring the source code is right for the build AND • Getting OSS data from suppliers and to customers
    8. 8. Managing Open Source Software Supply Chains FANTEC Litigation • Plaintiff: Harald Welte of gpl-violations.org • Open Source Software: iptables, a packet filtering utility licensed under GPL • Defendant: FANTEC ---- Product: FANTEC 3DFHDL Media Player • Compliance Efforts: FANTEC made a version of the source code available for download that it had received from its contract manufacturer. It was not the right source code for the binaries. • Court holding: a distributor of software may not rely on assurances made by the supplier of the software that the software does not infringe the rights of any third party • History: FANTEC had previously settled a GPL dispute with Welte in 2010 by a settlement that specified penalties if FANTEC committed any future GPL violation. At a 2012 "Hacking for Compliance" workshop hosted by the Free Software Foundation, compliance engineers discovered that the firmware object code shipping with the 3DFHDL included iptables and that the source code provided by FANTEC did not.
    9. 9. Managing Open Source Software Supply Chains OSS Supply Chain Trends • More customers are requiring suppliers to share the OSS compliance burden and provide compliance artifacts for their products – Software BOM – Attribution Text – Source Code Redistribution Packages as needed • New challenge is what to do with the OSS information from suppliers – Where to put the data for future reference and use – How to validate/audit the data with minimal rework – How to deal with errors in the supplier-provided data 9
    10. 10. Managing Open Source Software Supply Chains OSS Supply Chain Context Component Catalog Supplier Software Package --------------------- Software BOM OSS Attribution Text OSS Source Code OSS SW Packages Customer ISV SW Packages Embedded OSS
    11. 11. Managing Open Source Software Supply Chains OSS Supply Chain Solutions • SPDX - Software Package Data Exchange® • A standard format for communicating the components, licenses and copyrights associated with a software package • Intended to support automated exchange of Software Package Data • Working Group of the Linux Foundation at www.spdx.org • Organized in Business, Legal and Technical teams • Open to participation by anyone
    12. 12. Managing Open Source Software Supply Chains • Supports exchange of component and license data in RDF/XML or Tag/Value format • Designed for automation of data exchange -- not a tool for provenance analysis • v2.0 will address complex Software BOMs Document Information Creation Information Package Information File Information Licensing Information Review Information SPDX Today - v1.1
    13. 13. Managing Open Source Software Supply Chains OSS Supply Chain Data • SPDX provides a “container” for exchange of component and license data, but you still need to create and manage the data for your products • Possible data sources include: – Open source projects – Suppliers – Internal analysis / audit – Third-party analysis / audit • You need somewhere to keep and maintain/update the component and license/origin data
    14. 14. Managing Open Source Software Supply Chains OSS Supply Chain Solutions A basic system should be: • Adaptable to existing engineering processes – Engineers can use and update the data during normal software development activities – Independent of programming languages or tools • Able to produce data for: – Delivery to customers as • Attribution and Redistribution packages • SPDX files – Synchronize with enterprise systems
    15. 15. Managing Open Source Software Supply Chains ABOUT-Code • nexB created the ABOUT-Code tools to automate OSS compliance • Based on our ABOUT specification • An ABOUT file documents the origin and license for each component, usually at the library or directory level • An ABOUT file is a text file with the file extension “.about” • Applicable to any programming language and software development environment • Extensible to build system integration for advanced automation • Tools are in Python and licensed under Apache 2.0 • Code available at https://github.com/dejacode/about-code-tool • Specification: http://www.dejacode.org/about_spec_v0.8.0.html
    16. 16. Managing Open Source Software Supply Chains ABOUT File Example A text file in “tag / value” format httpd-2.4.3.tar.gz.about name: Apache HTTP Server home_url: http://httpd.apache.org download_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gz version: 2.4.3 date: 2012-08-21 license: apache-2.0 license_file: httpd-2.4.3.tar.gz/LICENSE copyright: Copyright 2012 The Apache Software Foundation. notice_file: httpd-2.4.3.tar.gz/NOTICE
    17. 17. Managing Open Source Software Supply Chains ABOUT-Code tools • Create ABOUT files in a codebase from a Software BOM or Inventory file (spreadsheet) • Create a Software BOM or Inventory file (spreadsheet) from ABOUT files in the codebase • Create an Attribution text file • Text file organized by copyright/license notice and component • Default text or HTML format • Create a Source Code Redistribution package list • Currently offered as command line tools
    18. 18. Managing Open Source Software Supply Chains “Virtuous” Compliance Lifecycle Product Release (R1) Baseline R1 Software Inventory/BOM R1 Codebase ABOUT Files Component License Text R2 Software Inventory/BOM Attribution Display / Docs R2 Codebase ABOUT Files Source Code Redistribution Package Update ABOUT Files
    19. 19. Managing Open Source Software Supply Chains Basic Automation - Today • Use ABOUT-Code to read ABOUT files to • Create a Software BOM / Inventory • Create an Attribution text file • Create a Source Code Redistribution package list • Edit output files to remove components that are not Deployed • Add the Attribution text file to the product documentation and(or) product GUI (Help / About) • Assign an engineer to create the Source Code Redistribution package with installation/build instructions
    20. 20. Managing Open Source Software Supply Chains Advanced Automation Enhance your build system and tools to: • Recognize ABOUT files • Assemble ABOUT files during a build for the sub-set of components included in an end-product (Deployed) • Collect Attribution data for Deployed components and create Attribution text file • Insert Attribution text into GUI (Help / About) • Collect source code for the components that require Redistribution (including dependencies) • Create an archive file of the Redistribution package
    21. 21. Managing Open Source Software Supply Chains ABOUT-Code • Download and use the code from GitHub at: https://github.com/dejacode/about-code-tool • Read the specification at: http://www.dejacode.org/about_spec_v0.8.0.html • Join the discussion at: http://www.dejacode.org/ 21
    22. 22. Managing Open Source Software Supply Chains Questions
    23. 23. Managing Open Source Software Supply Chains About Greenberg Traurig LLP • GT is an international, multidisciplinary law firm in 35 locations in the United States, Latin America, Europe, the Middle East and Asia. • An International Network of More than 1,750 Attorneys & Governmental Affairs Professionals
    24. 24. Managing Open Source Software Supply Chains About nexB Inc. • nexB offers: – Software analysis/audit services for products and for acquisitions – DejaCode Enterprise – a central business system for managing software components • 200+ software audit projects completed to-date – Aggregated audited codebases > 3 billion lines of source code – Aggregated value of the acquisitions transactions > $5B • See DejaCode Enterprise at www.dejacode.com
    25. 25. Managing Open Source Software Supply Chains DejaCode.org • nexB is sponsoring DejaCode.org as a community site to share techniques and tools for automating compliance with OSS obligations • Documentation of existing techniques and tools from Android, Apache Maven (Java), CPAN (Perl) and others • Home for new projects like nexB’s ABOUT system • Visit us at: www.dejacode.org
    26. 26. Managing Open Source Software Supply Chains Contacts • Greenberg Traurig Heather Meeker MeekerH@gtlaw.com +1 650 289 7825 Subscribe to news and events alert at http://eepurl.com/wQIp9 • nexB Inc. Michael Herzog mjherzog@nexB.com +1 650 380 0680

    ×