Download to read offline
Uploaded byShane Coughlan
Jeff Luszcz on Open Source Compliance
Jeff Luszcz on Open Source Compliance Compliance is still a personality driven process When influencers leave, a company’s compliance process often falls apart Bus Factor=<1 at many companies Experience levels vary greatly across the industry BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person. Analysis Paralysis is a double edged sword First reviews lead to either NO reviews or MORE reviews Remediation is an ART not a Science The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing We need to start requiring accurate BOMS in contracts with real teeth “Internal Audit” is waking up to OSS issues Pressure building for new FOSS licenses / models OpenChain has a bright future! Well respected and outside knowledge is growing
![20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/20260201fosdemgomodjail-librarysandboxingforgomodules-260201225659-76609ec4-thumbnail.jpg?width=640&height=640&fit=bounds)
Jeff Luszcz on Open Source Compliance
- 1. 15 YEARS INOPEN SOURCE COMPLIANCE Jeff Luszcz jeff@luszcz.com @JeffLuszcz
- 2. 15 YEARS INOPEN SOURCE COMPLIANCE INTRODUCTION – JEFF LUSZCZ Founded Palamida in 2004 One of the first Scanning tools to manage FOSS Designed compliance audit program and built out Professional Services team to implement it Team helped everything from basic compliance, M&A due diligence, and open source project hygiene Everyone from sole proprietors to largest software companies in the world Witnessed industry move from dozens of OSS packages to 1000s of packages per BOM
- 3. THINGS LEARNED ALONGTHE WAY Compliance is still a personality driven process When influencers leave, a company’s compliance process often falls apart Bus Factor=<1 at many companies Experience levels vary greatly across the industry BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person. Analysis Paralysis is a double edged sword First reviews lead to either NO reviews or MORE reviews Remediation is an ART not a Science
- 4. WHAT IS HARDFOR COMPANIES? New code is valued over “maintenance” and no dev cycles are earmarked for compliance* (*outside of post M&A work) Top level package licenses can be managed but inner- package licensing is difficult to understand The typical BOM undercounts by 99%! Each layer (build, dev, deployed) is managed by different teams who all are scared to call the lawyers “Here be dragons issues” like Old code with non- standard licenses from dead people
- 5. WHAT’S ON THEHORIZON The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing We need to start requiring accurate BOMS in contracts with real teeth “Internal Audit” is waking up to OSS issues Pressure building for new FOSS licenses / models OpenChain has a bright future! Well respected and outside knowledge is growing
- 6.
Editor's Notes
- #3 We quickly discovered we need the human touch as well
- #4 In terms of maturity We don’t have this problem with financial compliance Experience impacts trust Still at the mercy of the right person being in the right place at the right time, affects the trustworthiness of a company Analysis paralysis: can lead to either ignoring the problem and pushing off compliance OR calling in the experts to fix things ASAP If we did a scan and everything was MIT or Apache 2.0 no one would have problems deciding to run a scan
- #5 In 2019 we are still not scheduling time for compliance Old code with non-standard licenses from dead people: this is problem with some of our core infrastructure that I hope projects like Clearly Defined or similar can help fix We all probably have “That File” or “That Package” we wish could get cleared up
- #6 There are holes in which we are monitoring. The build environment. I’m very concerned about this I’m still amazed that the level of quality in BOMs produced by companies is so large. The company with the better BOM can sometimes be penalized and that’s just wrong. In my interactions with companies who are not on the open chain calls, there is growing awareness. They are happy to see this, even if they don’t feel they can offer any help.