Karsten Reincke, Senior Expert Key Projects / Telekom Open Source Committee at Deutsche Telekom AG gives a keynote presentation at OW2con'19 "Automating Compliance; a Growing Challenge for Agile + Cloud"
2. Ultimately, …
2019-06-12 2K. Reincke: Automating Compliance
FOSS compliance is plain sailing:
We know, what we have to do,
for using FOSS compliantly.
3. Ultimately, FOSS Compliance Is Plain Sailing:
2019-06-12 3K. Reincke: Automating Compliance
If we distribute a product (in any sense) containing FOSS (in any sense),
then we have to distribute the following information together with the product:
A list naming each FOSS component of that product [name & release number]
For each component of that list:
the corresponding copyright owners (method depends on the license)
the respective license text
the respective disclaimer
(sometimes) some additional files (the NOTICE file in case of the apache license)
For each component of that list licensed under a weak or strong copyleft license
a written offer saying that we will deliver the source code if requested
And we have to set up process for serving request evoked by the last point:
4. Ultimately, FOSS Compliance Is Plain Sailing
2019-06-12 4K. Reincke: Automating Compliance
FOSS Stack
Open Source
Compliance Artefact
5. So, …
2019-06-12 5K. Reincke: Automating Compliance
If the world is as simple as described,
why do we nevertheless talk so much about FOSS compliance?
10. Why Is FOSS Compliance Tricky?
2019-06-12 10K. Reincke: Automating Compliance
ComplianceFocus
LINUX-LIB-1
TELEKOM-APP
LINUX-LIB-2
LINUX-LIB-3
LINUX KERNEL
GNU/LINUX LIBRARIES
GNULINUX-APP
GNULINUX-APP
LINUX-LIB-1
TELEKOM-APP
LINUX-LIB-2
LINUX-LIB-3
ComplianceFocus
With updates over the air
A challenge for CI/CD
11. Why Is FOSS Compliance Tricky?
2019-06-12 11K. Reincke: Automating Compliance
DISTRIBUTED TO CUSTOMERS
=>
COMPLIANCE!!!
12. Why Is FOSS Compliance Tricky?
2019-06-12 12K. Reincke: Automating Compliance
DISTRIBUTED TO CUSTOMERS
=>
COMPLIANCE!!!
13. So, Why Is FOSS Compliance Tricky?
2019-06-12 13K. Reincke: Automating Compliance
Products use a mass of FOSS components
… sometimes in form of a mess
14. You are not alone
2019-06-12 14K. Reincke: Automating Compliance
15. The Community supports us
2019-06-12 15K. Reincke: Automating Compliance
Compliance
Automation
QMSTR
SW360
SOFTWARE
HERITAGE
FOSSA
RIVER
16. The Community supports us
2019-06-12 16K. Reincke: Automating Compliance
SW360 … provides … a
central hub for software
components in an
organization QMSTR
SW360
SOFTWARE
HERITAGE
FOSSA
RIVER
17. The Community supports us
2019-06-12 17K. Reincke: Automating Compliance
FOSSology is a toolkit by
which you can run [and]
manage] license, copyright
and export control scans. QMSTR
SW360
SOFTWARE
HERITAGE
FOSSA
RIVER
18. The Community supports us
2019-06-12 18K. Reincke: Automating Compliance
The Software Package Data
Exchange is an open standard for
communicating software bill of
material (including components,
licenses & copyrights … QMSTR
SW360
SOFTWARE
HERITAGE
FOSSA
RIVER
19. So, …
2019-06-12 19K. Reincke: Automating Compliance
Is our situation pardisaic?
Complex, but already solved?
20. So, is our situation paradisiac?
2019-06-12 20K. Reincke: Automating Compliance
Do we have the complete compliance tool chain?
21. The FSFE Legal & Licensing Work Shop 2019
2019-06-12 21K. Reincke: Automating Compliance
22. DoUbtS may be alloweD …
2019-06-12 22K. Reincke: Automating Compliance
But what can we do?
25. the SolUtion: 3 compliant proDUctS …
2019-06-12 25K. Reincke: Automating Compliance
Open Source
Compliance Artefact
+ ++
Open Source
Compliance Artefact
Open Source
Compliance Artefact
… with 3 manUally createD reference
OpEN Source Compliance Artefacts
26. The Solution: Purpose
2019-06-12 26K. Reincke: Automating Compliance
Give the tools the
chance to prove
what they really can! QMSTR
SW360
SOFTWARE
HERITAGE
FOSSA
RIVER
27. The Solution: Purpose
2019-06-12 27K. Reincke: Automating Compliance
Close the
automation gaps
systematically! QMSTR
SW360
SOFTWARE
HERITAGE
FOSSA
RIVER
28. The solution: Must also be open Source!
2019-06-12 28K. Reincke: Automating Compliance
https://github.com/Open-Source-Compliance/tdosca
T.D.OSCA
Test Driven Open Source Compliance Automation